The BBA announcement comes on the heels of recent infiltrations into major retailers like Target and large financial institutions - all of which have resulted in massive financial costs for companies and their customers. A number of these large-scale infiltrations have been confidently assumed to be the work of Russian and Ukrainian hackers who are incentivized to target large Western entities by an increasingly hostile Russian government. Recent cyber-assaults on U.S.-based financial institutions, in particular, demonstrate the exceedingly sophisticated nature of these attacks, which in conjunction with technical indicators extracted from the banks’ computers, has helped to implicate the involvement of some foreign government in data theft. One specific incident of recent cyber-infiltration involved the exploitation of a software flaw colloquially referred to as “zero-day vulnerability,” because it involves manipulating a previously unknown vulnerability in a computer application in such a short time frame that programmers have zero days to forge a patch to fix the flaw. The hackers were then able to careen through the institution’s elaborate security measures and managed to steal vast troves of sensitive user data.
Though no technical details were released in the announcement of FCAS, it is understood that the system will dispatch alerts concerning money laundering, cyber-crime, fraud, emerging trends, and even terrorist financing. FCAS will also build on an existing partnership that BBA shares with the National Crime Agency, which Anthony Browne claims has prevented at least £100 million through information sharing. FCAS is also not the only cyber-security initiative announced this year, as the Bank of England unveiled a program called CBEST, which serves as a bank-wide security audit by replicating known cyber-attacks on the bank’s own defenses, but it lacks the real-time warning system. On an even more grand scale, the European Police Office signed a Memorandum of Understanding with the European Banking Federation – which represents 4,500 financial institutions on the continent – with the intent of vastly expanding cooperation between law enforcement and the financial sector.
The ultimate goal of all these initiatives is to encourage people to invest in European banking institutions by allaying fears of economic havoc that could result from cyber-crime. As tensions with Russia continue to worsen, it would be wise for U.S.-based financial institutions and law enforcement agencies to increase levels of cooperation, not just in the aftermath of an attack, but in order to prevent them from happening altogether. Otherwise, investors may feel that European cyber-security measures make for such an overwhelming advantage that the U.S. financial sector – which makes up 7.9% of the overall economy – may suffer dramatically. In order to preemptively counteract capital flight to Europe, J.P. Morgan CEO Jamie Dimon announced in an annual shareholder’s letter that the bank would boost annual spending on cybersecurity by 25-percent to approximately $250 million by the end of this year. However, there is little that a solitary private institution can do in the face of a coordinated assault by a major state power like the Russian government.
To this end, the Securities Industry and Financial Markets Association (SIFMA) hired ex-NSA director Gen. Keith Alexander to facilitate the formation of a joint law enforcement and private sector “cyber war council” of sorts. Former U.S. Secretary of Homeland Security Michael Chertoff, and his consulting firm the Chertoff Group, were subsequently acquired by Gen. Alexander to assist in the recruitment of at least eight U.S. agencies including the Treasury Department, the National Security Agency, and the Department of Homeland Security. Additionally, Senators Diane Feinstein (D-CA) and Saxby Chambliss (R-GA) successfully sponsored a piece of bipartisan legislation – called the Cybersecurity Information Sharing Act – approved by the Senate Intelligence Committee, which will insulate financial institutions from liabilities incurred through sharing cybersecurity information.
Camden Fine, president of the Independent Community Bankers of America, voiced serious questions as to whether the FDIC can absorb the momentous costs of increasingly disastrous cyber-attacks in an email to Bloomberg News, and added “It is like watching a train wreck in the making and there is nothing you can do to stop it.” Mr. Fine’s concerns are not without merit as the largest U.S. institutional banks hold a combined $4.9 trillion in assets, but are exposed to an approximate total of $210.2 trillion in derivatives, which is a number 14 times the size of the U.S. annual GDP. The calamitous consequences of a cyber-attack, which sets off that much damage in the way of systemic risk, are horrifyingly unfathomable, especially considering the heavily integrated global economy we enjoy. Never before has the need for cooperation between law enforcement and the private sector been more vital, as cyber-attacks become an ever more relevant existential threat to the world’s economic stability.
For more information please contact MSA Investigations.
Daniel Gorry is the author of this blog post.