It's likely that the mainstream news media talking heads were the only people who were shocked by the news that at least five US banks -- including JPMorgan Chase, the only institution identified so far -- have been cyberattacked in the past month, apparently by Russian hackers. Financial services industry professionals and industry observers are well aware that banks are ongoing targets for fraud and cybercrime. As JPMorgan Chase spokesperson Patricia Wexler told The New York Times: "Companies of our size unfortunately experience cyberattacks nearly every day. We have multiple layers of defense to counteract any threats and constantly monitor fraud levels."
Right now, it's not clear (well, at least the public statements say it's not clear) whether the motive behind the attacks is theft, disruption, or both, and the FBI reportedly is investigating these options. There's speculation that the Russian government could be sponsoring the attacks in retaliation for US sanctions imposed in response to the crisis in the Ukraine. According to a report from Bloomberg, which broke the news of the attacks:
- The sophistication of the attack and technical indicators extracted from the banks' computers provide some evidence of a government link. Still, the trail is muddy enough that investigators are considering the possibility that it's cyber criminals from Russia or elsewhere in Eastern Europe. Other federal agencies, including the National Security Agency, are now aiding the investigation, a third person familiar with the probe said.
The scope of the attacks is big enough that they are getting widespread coverage, but it remains to be seen if these are the "big ones" that the financial services industry knows are inevitable. Unlike account theft such as the Target card breach, where it appears that company procedures and protections may not have been as aggressive as they should have been, these kinds of cyberattacks probably have little to do with exploiting suspected weaknesses in bank security. As Wexler said, the banking industry constantly must deal with these kinds of threats, takes them extremely seriously, and has made huge investments in systems, infrastructure, training, and process to fend off these assaults.
However, these latest attacks are likely to fuel more calls and efforts for regulation that requires banks to provide (theoretically) stronger security and improved privacy protections. This has been a topic of discussion on Bank Systems & Technology message boards recently, even before the revelation of this latest round of attacks. As Brian Maccaba, CEO of the application security firm Waratek, observed in a comment on Wednesday:
- Regulation of security for financial institutions is reminiscent of the debate on risk management and capital adequacy over the past decade. Lengthy debates ultimately gave way to a mix of increased regulation for all, together with significantly more sophisticated methodologies being adopted by the leading international players.
The collapse of Lehman and financial meltdown in 2008 has led to significantly increased and more specific regulatory requirements. A serious cyber security breach at a major financial institution would probably have a similar effect.
[Waratek's Maccaba on why application security means more than just ensuring that developers are writing secure code.]
No doubt there will be an orgy of finger pointing (sorry for the mixed metaphors), at least among politicians and some in the news media, regarding who's to blame for these attacks, what the response should be, and what can be done to prevent assaults. How do you think this will play out?
Are you prepared for a cyberattack? Find out what you must do at the Interop New York session Acknowledge the Inevitable: How to Prepare For, Respond To, and Recover From a Security Incident on Tuesday, Sept. 30.
Katherine Burger is Editorial Director of Bank Systems & Technology and Insurance & Technology, members of UBM TechWeb's InformationWeek Financial Services. She assumed leadership of Bank Systems & Technology in 2003 and of Insurance & Technology in 1991. In addition to ... View Full Bio