Everyone has been in a movie theatre when one of the actors approaches that door to the basement behind which strange noises are coming. They reach out to turn the knob and in unison the audience is thinking, “Fool, haven’t you ever been to the movies? Don’t you know that the zombies or ghouls or some other equally disgusting creature are waiting for you behind that door? Don’t do it!” They of course open the door, blissfully unaware of the grisly fate waiting for them.
I get the same sort of feeling when I read about cybersecurity lapses at banks. Think about the following:
“Someone dropped a thumb drive, I think I’ll just plug it into my computer at work and see what is on it. Surely nothing bad will happen. If nothing else, I’ll give it to one of my kids, they can use it on the home computer.”
“My good friend, the one who sends me those emails asking me to pass them along to three of my closest friends, just sent me an email with an adorable cat video. I just love cat videos, I’ll open it on my computer at work and see what is on it. Surely nothing bad will happen. Doesn’t the FBI monitor the internet keeping us safe from bad people?”
“Someone from a small European country that I have never heard of has sent me an email telling me that I might be the recipient of an inheritance. I always knew I was destined for better things in life, I’ll just click on the attachment and follow the instructions. Surely nothing bad will happen.”
“My good customer Bob just sent me an email telling me that he is stuck in jail in South America. He needs me to wire money to post his bail. I didn’t know that Bob was traveling, I am pretty sure I just saw him in the bank a couple of days ago. I probably won’t try and call his house or wife or his cell phone to double check, I’m sure his email is legitimate.”
If you were in the movie theatre you’d be yelling out “Don’t do it!” If this were a movie you would see the green glowing blob patiently waiting to silently flow into the office computer. The blob just sits there though, waiting for the bank officer to hit the keystroke that opens the file. Now we see it watching as the person sits down at the computer and logs in, types in a password and initiates a wire transfer. The blob silently memorizes both the login ID and the password. Weeks can go by as the suspense builds. The ominous music begins to swell in the background, we know that something is going to happen when as fast as lightning, the blob springs to life initiating wire transfers for tens of millions of dollars.
This is exactly what occurred in February of 2016 in Bangladesh. Criminals were able to place the blob in the form of malware on to the computers for the central bank of Bangladesh. Reports indicate that part of the malware included a keylogger which was used to memorize passwords and other login credentials to the system created by the Society for Worldwide Interbank Financial Telecommunication (“Swift”) used by banks to initiate funds transfers. In the end, $81 million was wired through the bank’s accounts at the NY Federal Reserve, apparently to a casino in the Philippines where it was converted into untraceable gambling chips.
It is not clear yet exactly how the criminals inserted the malware into the central bank’s computers, but the situation underscores what we have been telling clients about cybersecurity. You are only as strong as your weakest link, and the weakest link is usually someone who clicks on an attachment or picks up the thumb drive found on the floor. It is human nature to be curious, and it takes constant training and reminders to personnel to remind them about appropriate responses. Financial institutions are constantly hiring new employees, and each of them brings their own personal history of computer hygiene with them. Each of them must be taught immediately about the importance of not opening suspicious emails or attachments. Spam and malware filters hopefully block most of the incoming criminally engineered emails, but the criminals are resourceful and continue to innovate.
As we have noted previously, federal banking regulators have higher expectations concerning preparedness for cyberattacks. The Cybersecurity Assessment Tool released in 2015 by the FFIEC provides specific standards by which an institution can be judged when undergoing regulatory examinations.
At Bryan Cave, our Data Privacy and Security Team can assist you by conducting a data risk assessment, including reviewing your cyberattack insurance coverage. That analysis, coupled with our Banking Group’s ability to navigate the bank regulatory gauntlet will better prepare you for upcoming IT and cyberattack exams.
No matter how good a company’s security is, data security events are unavoidable. When a security breach does occur, preventing liability often means analyzing facts, identifying legal obligations, and taking steps to prevent or mitigate harm within the first minutes and hours of becoming aware of a breach. That’s why an attorney from our Data Privacy and Security Team is on-call for clients whenever and wherever a breach occurs: 24 hours a day, 7 days a week.