by Douglas Brent
As the banking industry labors to increase security against a surge of technologically advanced attackers, banks must manage two related challenges. First, in the face of constant media exposure about “hacking,” banks must maintain customer confidence in the relative safety of online banking, while offering commercially reasonable security options. At the same time, banks must consider how legal standards for reasonable security measures evolve with new risks, as we have seen when customers turned to the courts after their accounts were looted by invisible criminals.
Online Banking Targeted
Already in 2015, federal law enforcement agencies have alerted banks of increasingly sophisticated hacking tools used by cyber gangs to steal up to a billion dollars from financial institutions worldwide. This month, the Department of Homeland Security warned of the Komodia Redirector with SSL Digestor that makes affected systems “broadly vulnerable to HTTPS spoofing.” DHS warns that an attacker can “spoof HTTPS sites and intercept HTTPS traffic without triggering browser certificate warnings in affected systems.” That threatens the integrity of trusted certificates and may create uncertainty about secure access to online banking.
Other threats may lurk on the customer’s equipment. The FBI recently warned of a banking Trojan that monitors customer online banking sessions and steals credentials for account takeovers as well as fraudulent ACH and wire transfers.
Equipment and security measures at the banks are under attack too. Just weeks ago federal law enforcement agencies reached out to the banking community for information related to the sophisticated hacking tools employed by the Anunak/Carbanak cybergang to steal up to a billion dollars from various financial institutions around the world.
But even less advanced attackers may succeed when a bank has left open an entry point that could have been secured. On March 16 The New York Times discussed a 2014 breach of one of the largest banks in America involving penetration of a network that had not been protected with an “industry standard” tool for authentication. According to the paper, the criminal investigation “is advancing quickly partly because the attack was not nearly as sophisticated as initially believed.”
“Commercially Reasonable” Measures Reduce Exposure
After a criminal takeover of a customer’s account results in losses, banks often find they must defend themselves in court. In the wake of increased security challenges, banks should consider the risk of loss factors that courts consider in litigation after a customer’s account has been looted by criminals.
Several federal courts have considered the uniform statutes and regulatory guidance on what is reasonable cybersecurity for business and consumer banking.
In 2014 the Eighth Circuit Court of Appeals explained that Article 4A of the Uniform Commercial Code permits a bank to take steps that protect it from liability “by implementing commercially reasonable security procedures.” In an account takeover where $440,000 was stolen from a business via a fraudulent wire transfer, the court found that security procedures must be “established by agreement” to be enforceable against a customer.
In this case, the bank had taken steps to promote to the customer four important security measures the court found commercially reasonable. What is the standard for reasonableness? The court found its “primary authority” in FFIEC security guidance principles. FFIEC is the federal interagency council empowered to prescribe uniform principles and standards for federal examination of financial institutions.
Risk of loss shifted to the “informed customer” who refused a security procedure that the bank offered and the court found commercially reasonable. That provided an exception to the “established by agreement” rule. The outcome here is in contrast to other cases where a bank’s failure to have offered a full set of security measures allowed a customer to press forward with a claim.
As Threats Evolve, Legal Standards May Change Too
The Eighth Circuit opinion foreshadowed the recent FBI warnings when it said, “Of course, cyber-crime evolves rapidly, and guidance . . . may become obsolete in subsequent years.” The FFIEC Guidance advises banks to “[a]djust, as appropriate, their information security program[s] in light of any relevant changes in technology, the sensitivity of customer information, and internal or external threats to information.”
Indeed, late last year FFIEC recommended that financial institutions of all sizes bolster their understanding of cybersecurity risk by participating in information sharing forums, including the Financial Services Information Sharing and Analysis Center (FS-ISAC). And even more recently, the organization published a new appendix to its Business Continuity Planning Booklet, placing greater emphasis on institutions and their directors to manage the cyber resilience of their organizations.
Stoll Keenon Ogden’s banking practice also can help by reviewing your current processes and customer communications to ensure that your bank is protecting itself against the threat of customer litigation as a result of criminal cyber theft. We monitor the litigation, legislation and regulatory activity that will matter when your bank is attacked. Our team stays current with changing regulations and guidance that can make the difference in your business practices and, if necessary, in court.
Stoll Keenon Ogden’s banking practice also can help by reviewing your current processes and customer communications to ensure that your bank is protecting itself against the threat of customer litigation as a result of criminal cyber theft. We monitor the litigation, legislation and regulatory activity that will matter when your bank is attacked. Our Privacy and Information Security team stays current with changing regulations and guidance that can make the difference in your business practices and, if necessary, in court.