The big banks are seeing an increase in cyberthreats, and these attacks are only becoming more sophisticated.
Hackers are capable of stealing vast amounts of cash and notably siphoned $81 million from Bangladesh Bank in 2016 through SWIFT, a global network that thousands of institutions around the world use to communicate and move money. The bank ended up blaming the Federal Reserve Bank of New York for allowing the money transfers to go through.
The prospect of a cyberattack is keeping bank CEOs, like JPMorgan Chase’s Jamie Dimon, up at night.
Dimon recently spoke to Marketplace host Kai Ryssdal about being the last CEO standing from the 2007-08 financial crisis and the challenges our financial system might have to face the next time around.
“We saved a lot of companies in this crisis and a lot of things are to help facilitate orderly markets, etc. But you should always be asking that question: Where's the next problem coming from? It will be different from the last problem,” Dimon said. “There are always issues away from banks that can cause banks’ problems. Think of cyberattacks and other institutions, clearinghouses.”
He continued later in the interview: “We are not prepared for cyber, and it's already a cyberwar. Companies like JPMorgan and hundreds of thousands of others are attacked every day by state actors, criminals, and we don't have the authority in place to have the proper response and protection.”
Dimon isn’t the only one who's been expressing worries lately.
A new report from the financial services firm The Depository Trust & Clearing Corp. looks at how the next financial crisis will be different, and says cyberthreats pose a much bigger risk than they did a decade ago.
“The most alarming evolution over the past 10 years is the shift from cyber thefts and other cyber crimes motivated by monetary gains to the use of cyberattacks as a geopolitical weapon, developed by state-sponsored actors and specifically targeted to compromise vital infrastructure components,” according to the report.
The good news is that if institutions had to face a large-scale cyberattack, there are some defenses that the financial industry has in place, said Tyler Moore, an associate professor of computer science at the University of Tulsa. They cooperate, for example, through the Financial Services Information Sharing and Analysis Center, which disseminates alerts about cyberthreats to its members.
“But the bad news is that the financial services sector remains the most valuable target for criminals, because that’s where the money is,” Moore said.
So what does a serious cyberattack in the financial sector look like?
William Carter, deputy director of the technology policy program at the Center for Strategic and International Studies, said there are so many different scenarios that it’s “hard to even comprehend,” so he placed them in buckets.
One of those buckets: an attack on the “interlinkages” between banks, meaning payment systems and processors like the SWIFT system.
“All modern banking is built on trust,” Carter said. “Trust that the payment orders and the verifications and the prices that you’re being quoted by systems from all the other financial systems you do business with are accurate.”
Another form of cybercrime would be an attack on the “integrity of data.” Carter said that could be an attack that manipulates the listed prices of stocks on an exchange.
Moore, of the University of Tulsa, and David Opderbeck, a law professor at Seton Hall University, also said that cybercrimes might involve distributed denial of service attacks, which typically flood online systems, like an internet banking system, with massive amounts of data in order to overload them and take them offline.
Who is most likely to carry out a cyberattack? Opderbeck said the usual suspects include rogue, low-level criminals. Threats might also come from organized crime groups from countries like Russia or rogue states like North Korea.
If — and that’s *if*— there were a truly systemic cyberattack, investments you have in the market might decline, or it could be hard to make basic financial transactions, like, say, paying with a credit card, Carter said.
But these experts stressed that while cyberattacks to our financial institutions can be disruptive, people shouldn’t worry about a financial crisis or the end of our financial system as we know it.
“There is significant risk to a successful cyberattack disrupting the interbank system, disrupting other kinds of payment networks, which could cause a real significant hit to our economy. But I’m not prepared to say that it would necessarily lead to a broader spillover effect into the financial sector,” Moore said.
Carter added that cybercriminals actually have financial incentives not to carry out a systemic attack.
“We shouldn’t all be sitting, looking over our shoulders, waiting for a cybercrisis in the banking sector,” he said. “The actors that you’re really worried about are mostly nation-states, and if they blow up the U.S. banking sector, their banking sector is going down with it. And so what exactly were they trying to accomplish?”