If John Dillinger were alive today, he might use a computer instead of a Tommy gun.
Dillinger, the infamous Depression-era bank robber, used force at a time when a bank”™s vault could only be emptied by physical means. A modern bank robber could potentially empty the vault sitting on his couch with a laptop ”“ a possibility that law enforcement agencies and banks in Westchester and Fairfield counties are working diligently to prevent.
In May, the New York Department of Financial Services, the regulatory agency that oversees banks, released a 12-page report on cybersecurity. The report, which covered the results of a survey of 154 financial institutions, probed preparedness measures, information security framework, the frequency nature, cost of and response to cybersecurity breaches, and the institutions”™ future plans on cybersecurity.
“Hackers spend day and night trying to think up new ways to steal consumers”™ personal information and disrupt our nation”™s financial markets, and it”™s more important than ever that we rise to meet that challenge,” said Benjamin Lawsky, superintendent of the Department of Financial Services, in a press release that accompanied the report”™s release.
“Banks everywhere have experienced cyberattacks, and Connecticut is no exception,” said Bruce Adams, general counsel at the Connecticut Department of Banking.
Cyberattackers had tried to hit nearly every bank, regardless of size, surveyed for the New York state report. Notably, the report stated that although institutions reported numerous attempted systems intrusions over the prior 12 months, very few institutions experienced successful breaches resulting in significant monetary damages.
“Everybody worries about cybersecurity,” said John Tolomer, CEO of The Westchester Bank. “We have spent quite a lot of money to protect our resources and finances. We can”™t go into a lot of detail about what we do behind the scenes. It”™s something that big and small banks alike are facing, and we”™re always looking to protect our information and customers.”
According to the New York report, more than 90 percent of large institutions with more than $10 billion in assets and nearly 80 percent of medium-sized institutions with assets between $1 billion and $10 billion had documented plans for keeping information secure. Information security plans were mostly made by the individual banks”™ information technology departments, in consultation with executives.
“We”™ve been telling our regulated community, which includes credit unions and banks, that they need to be focusing on cybersecurity issues,” said Adams in Connecticut. He said the department is always checking to see how securely banks keep their information. “It”™s a priority of our department to invest to beef up our exam capabilities.”
Often, however, banks and regulators are playing catch-up.
“The consumer of financial services is just often savvy enough to spot some scams,” said Adams. “Cyberattacks take on so many different forms. The scam artist is usually the first into the new space. We”™re focusing a lot of our resources to get up on the curve.”
Malicious software installations and phishing, where attackers create false emails and websites designed to look like those of the actual bank in an attempt to trick users into giving their login information, were among the most common attempted attacks noted in the New York report. Account takeovers, identity theft, telecommunication network disruptions and data integrity breaches were the most common criminal acts by cyberattackers who gained access to banks”™ networks.
When there is a loss, it can often be more costly than just the amount of money taken in the cyberattack. While reimbursements to affected customers constitute a large part of the cost to banks that fall victim to cyberattacks, auditing and software upgrades in the wake of the attack often push costs up. Attacks also add intangible costs such as loss of business and damage to the bank”™s brand, reputation and good will.
New York Attorney General Eric Schneiderman this month released a report examining the history of data security breaches across multiple industries in the state. According to a press release, those breaches cost New York”™s public and private sectors more than $1.37 billion in 2013.
The attorney general”™s report also found that hacking intrusions ”“ in which third parties gain unauthorized access to data stored on a computer system ”“ were the leading cause of data security breaches, accounting for roughly 40 percent of all breaches.
Adams said the importance of data security for Connecticut banks cannot be overstated. “It”™s just like the vault, the personnel and security records,” he said in a phone interview from his Hartford office. “It is something that is important for bank boards to pay attention to.”
