Too small to care? No bank is too small for cyber-attacks
Posted on 08/28/2014 at 10:14 AM by John Lande
This blog has continually covered how recent high profile data breaches at Target and other major internet sites have highlighted security risks in the internet era. Adding to the list of cyber-attacks, the New York Times and Bloomberg reported recently that JPMorgan and other banks had gigabytes of data accessed by hackers. The ongoing breaches are a significant concern for customers, and as more occur they will likely have an impact on the financial services industry. However, it is a mistake to view these attacks as isolated to mega-banks and retailers.
Banks like JPMorgan are enticing national targets for organizations with government links. For example, Bloomberg reported that the FBI is investigating whether the JPMorgan hackers have ties to the Russian government. However, not all cyber-attacks come from state-sponsored organizations. There are large numbers of small hacker groups in Eastern Europe and East Asia. Eastern European groups in particular focus on profits and are looking for data that can lead to a quick return. For example, a May 2014 New York Department of Financial Services Report found that 16% of small institutions (banks with assets under $1 billion) were the victims of phishing attacks (where hackers send emails requesting information) as compared to 22% of medium institutions and 33% of large institutions. Similarly, 13% of small institutions were the victims of malware (malicious software) attacks as compared to 21% of medium institutions and 35% of large institutions. Recent cases support the conclusion that community banks are not immune to cyber-attacks. For example, in May 2012 Tennessee based TriSummit Bank, a $250 million bank, was the victim of a sophisticated cyber-attack that siphoned $327,804 from Tennessee Electric Company, Inc. TriSummit was only able to claw back $135,000, leaving Tennessee Electric with a $192,656 loss. Tennessee Electric then sued TriSummit. T
ennessee Electric claimed that TriSummit's security was commercially unreasonable, among other claims. Cases like TriSummit and recent data breach stories highlight the importance of paying attention to security risks at your bank. As this blog has previously explained, Iowa law requires that banks and corporate customers share responsibility for the security of corporate funds. Banks and their boards of directors should not be complacent and assume that they are too small for hackers to bother with. The internet connects people from thousands of miles apart, and it doesn't matter to hackers whether $500,000 comes from a $50 billion bank or a $50 million bank.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
- John Lande
Categories: Cybersecurity Law, John Lande, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.