Banks Face New Threat
Banks have been caught off guard by what experts say is the first major mobile banking security threat to hit the United States.
It is a modification of the mobile Trojan called Svpeng, which has been used to steal money from Russian mobile bank accounts, said Dmitry Bestuzhev, head of global research and analysis team, Latin America, at Kaspersky Lab, a Woburn, Mass.-based antivirus software company that discovered the malware.
The malware, which emanates from Russia, has been termed “ransomware,” because the hackers demand a payment in exchange for not destroying the victim’s reputation, claiming there is child pornography and other prohibited content on the cell phone.
“Nobody wants to be a victim of such image reputation damage.” — Dmitry Bestuzhev, head of global research and analysis team, Latin America, at Kaspersky Lab.
“It takes a picture of the victim and then says it will send it with the child pornography findings to all of the victim’s contacts,” Bestuzhev said. “Nobody wants to be a victim of such image reputation damage.”
Cyber criminals are already taking steps to steal online banking credentials from mobile devices, Bestuzhev said.
Previous versions of Svpeng were used to steal money from several banks in Russia, by displaying a fake log-in window in front of the real one, which asked users to input their credentials.
This new malware is deeply integrated and is almost impossible to remove from an infected device, he added. His company found Svpeng through “proactive Internet exploring.”
Better software is needed to protect against malware, said Chris Keegan, a managing director at Beecher Carlson, in New York.
For now, banks rely on warning their customers against social engineering attempts by fraudsters, and usually that means, “Don’t press the button or answer the email.” Banks must warn their customers not to download any applications not found on the iPhone store, Google Play or other verified websites, he said.
Banks Ran Out of Time
Avivah Litan, a Gartner Inc. vice president and analyst in Potomac, Md., said the malware should serve as a wake-up call for many banks, as a fair number of them have not developed security measures for mobile banking that are as robust as those used in online banking.
Ensuring that customers use secured browsers doesn’t apply when they use mobile apps.
Giants like Chase Bank and U.S. Bank and others are developing tougher measures specific to mobile, but the industry has a whole need to step it up, Litan said.
“Everybody knew it was coming, but they thought they would have had more time.” – Avivah Litan, vice president, Gartner Inc.
“They’ve just been slow to put measures in place specific to mobile because there hasn’t been any mobile malware,” she said. “Everybody knew it was coming, but they thought they would have had more time. But now it’s here and they have to think about it now.”
Matt Krogstad, head of mobile banking at Bank of the West in San Francisco, said the bank’s fraud prevention department works with his department to combat mobile malware and other types of mobile banking fraud.
“It’s an ongoing process since the mobile security space is constantly evolving,” Krogstad said.
Bank of the West also tries to protect customers against unofficial third-party services that try to access apps or put themselves between the customer and the apps, after customers download them, he said.
Bank of the West also diligently educates customers about the latest threats, Krogstad said.In cases like Heartbleed, communications to customers were to reassure them that the bank had done its due diligence to ensurethat their accounts were safe.
“With other malware like this randomware, it’s more about reinforcing certain behaviors, such as not downloading apps from unofficial app stores or not clicking on links from people you don’t know,” he said. “Don’t jailbreak your phone or put your banking passwords in your contacts.”
Keeping up with all types of cyber crime continues to challenge the industry. Indeed, computer crime and malicious codes ranks as No. 5 as a top risk for banks, according to Aon’s 2014 U.S. Industry Report: Financial Institutions.
However, there is a disconnect at most banks that hampers risk mitigation, said Michael O’Connell, managing director, financial institutions practice at Aon Risk Solutions.
The disconnect occurs because one group traditionally is responsible for purchasing insurance, while another group is responsible for assessing exposures, including technology that may pose an operational enterprise risk, said O’Connell.
“We strongly recommend linking the two groups together, to assess ‘what-if scenarios’ and develop mitigation strategies that include insurance,” he said.
Kevin Kalinich, Aon’s global practice leader for cyber/network risk, said that recent court decisions have ruled that if fraudsters are able to steal customer identities or money, it is the bank’s obligation to help their customers, even if the fraud is out of the bank’s control.
“So if a customer gets fooled on their mobile devices, then the bank has the responsibility to monitor usage of their bank accounts,” Kalinich said.
It Happened Here
Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.
A Promising Prospect
Hal Landis walked into the boardroom at Stratton Bank headquarters in Chesapeake, Va. with a glow building inside of him.
The chairman and CEO of the bank, he carried in his briefcase paperwork that detailed the possible acquisition of Stratton by Manhattan-based Global Corp.
Global Corp., with about $100 billion in assets, liked the look of the mid-sized Stratton, which held about $30 billion in assets.
With its roots as a lender to the conservative farmers and fishermen of the Middle Atlantic, Stratton had a reputation for producing modest, steady returns and never taking unnecessary risks.
“Shall we get started everyone?” Landis said with a confident grin.
At 63, Landis was in good shape physically and financially, and with what Global was offering on a per-share basis, he couldn’t help but fantasize about the sort of retirement he might now be able to afford if this deal went through.
Two hours later, the rest of the board of directors was won over. They voted to accept Global’s offer, conditional on the approval of that corporation’s board of directors.
The Global board meeting to discuss the Stratton acquisition did not go quite as smoothly.
The audit committee had barely completed its report on Stratton’s financials when Augie Desmond, a junior staffer in the bank’s risk management department, spoke up.
“Mr. Bedford,” Desmond began, addressing the bank’s chairman, the formidable Alan Bedford.
Eyebrows were raised. It wasn’t common for junior employees to punctuate Global meetings with unsolicited remarks or questions.
“Nice working with you kid,” the CFO said to himself.
“Yes, Mr. …” Bedford began.
“Desmond, sir, Augie Desmond, from risk management,” Desmond said.
“Yes, Mr. Desmond?” Bedford said, throwing a questioning look at Desmond’s boss, CRO John Fairmount.
“I have serious concerns about this acquisition, sir,” Desmond said.
“There was a piece in the Journal today on a steam-generating solar plant in Nevada,” Desmond said.
Fairmount shot Desmond a look.
“Sorry John,” Desmond said. “I didn’t have time to tell you.”
“According to a report from Stanford, the heat from the plant is killing wildlife — lots of it — including the state bird,” Desmond said.
“Wha….?” Bedford began.
“The solar company, Daedalus, is based in Virginia,” Desmond said. “Stratton is the primary advisor on the company’s upcoming IPO. Daedalus is applying for a second permit, an even bigger plant with about $30 million in investment. If the politicians get hold of this thing, and they will …”
“What thing?” Bedford said.
“The bluebird thing sir, that’s the state bird. If this second plant application goes south, that solar company is at serious risk and so is Stratton — I don’t like it sir … I don’t like it one bit.”
“Mr. Desmond what is your background?” Bedford asked.
“I have a Master’s Degree in astrophysics from MIT,” Desmond said.
“And how long have you been in the banking industry?” Bradford said.
“Three months sir,” Desmond said.
“I’ll take that under advisement,” Bedford said.
Without much further debate, they followed the recommendation of the audit committee and approved the Stratton acquisition.
The meeting of the Stratton Bank stockholders to vote on the approval of the Global Corp. offer was held in the conference rooms at the Chesapeake Madison Hotel. Before the vote, the floor was opened up for discussion.
As he was at every meeting, Smitty Ackles, a shareholder and crabber from Havre de Grace, was first to the mike.
With his enormous gut protruding from between the bands of his cherry red suspenders, Ackles stood at the mike, smiling with wizened eyes at Hal Landis.
“Good afternoon, Mr. Landis,” Smitty said.
“Good afternoon, Mr. Ackles,” Landis said in what the audience recognizes as their standard opening schtick.
There are chuckles throughout the room.
“What I’d like to know, Mr. Landis, is why in the world the shareholders should accept this deal? We have been doin’ alright for 35 years, nobody’s complainin’ about their returns. Why do it?”
“Well, a 20 percent premium on our shares is one reason,” Landis said.
“Not worth it,” countered Ackles. “These boys from New York will bring more trouble than they’re worth, I guarantee you.”
“I’ve known you since you were a boy, Hal Landis, and I’m here to tell you, you’re making a mistake,” Smitty said before ambling away from the mike.
There are more chuckles, but nobody really listens to Smitty. Stratton shareholders approve the deal 2,010 to 15.
Not even a week later, the Nevada Department of Environmental Protection issues a surprise ruling that condemns the second Daedalus plant.
A study from the University of Nevada confirms what the Stanford researchers found. The plant is linked to the deaths of 1,000 Mountain Bluebirds, the state bird. Deaths of other birds number in multiples of that.
Geddy Hayes, an influential Nevada State Senator from Sparks, picked up the football and ran with it. Hayes, a gifted speaker, worked his magic from the Senate floor and killed any remaining chance the second Daedalus plant had.
The application for the plant, which the solar company spent millions on, went under.
Hayes wasn’t done with Daedalus. He pressured state regulators into burdening the existing plant with new regulations — to the point that it began to lose money.
On a Monday afternoon, Hal Landis sat in his office with CFO Dylan Reed, watching a cable news financial report.
The Daedalus IPO launched the previous week and did fairly well, with the share price rising 17 percent by week’s end. The following week was a different story.
Losses suffered by the Daedalus plant are being reported, along with the losses from the failed application for the second plant.
One week after the IPO launch, Daedalus shares are down 30 percent and are in freefall.
“How bad do you think this is for us?” Landis asked Reed.
“I don’t know, I’ve never been in this position before,” Reed said.
“None of us have,” Landis said.
Within two days, Stratton is set upon in a class action by attorneys for disgruntled Daedalus shareholders, who report millions in investment losses.
The acquisition of Stratton by Global is set to close in the third quarter. In its second quarter financials, Stratton reports a multimillion dollar write down in connection with the Daedalus fiasco.
Weakened by the reputational hit of the Daedalus shareholder class actions, Stratton also begins to notice some alarming revenue declines.
This time, at the Global board meeting where the decision to follow through on the Stratton acquisition will be made, it’s Augie Desmond’s boss, John Fairmount, who speaks first for the risk management department.
“Mr. Bradford, it’s our opinion that we should absorb any frictional costs and abandon this acquisition,” Fairmount said.
“Based on what data?” asked Global’s CFO, Daniel Silberstein, who championed the acquisition from day one.
Fairmount turned to Desmond.
“We’ve run an algorithm that ties share price to reputational damage. Call it a reputational risk index, if you will,” Desmond said.
“Based on what we’re seeing with Stratton, we see share price deterioration tied to reputational problems plaguing the bank for at least the next six quarters,” Desmond said.
Bradford shot Fairmount a look that said, “Again with this kid?”
Bradford and Silberstein aren’t swayed. They like Stratton’s basic book of business a lot. The bank hasn’t had a quarter in 20 years when it didn’t return a dividend.
Global’s board votes 13 to 4 to go ahead with the acquisition.
In the first six months following the acquisition year, Stratton shows a revenue decline of 20 percent over the previous year.
The solar deal in Nevada that went sour is poisoning the bank’s brand with its largely conservative retail banking customers.
A sizable chunk of Global shareholders are fed up. Rather than start an internecine war with their own management, they take action against Stratton.
The allegations are that Stratton failed to disclose the risk of the Daedalus exposure to the Global board and bungled the crisis management of the failed IPO.
Two years ago, if you’d asked Hal Landis who his insurance broker was, he couldn’t have told you. Now he knows him very well.
“You have $10 million in general liability coverage,” the broker explained to Landis over the phone.
“Right,” Landis said.
“Between the Daedalus IPO shareholder actions and the Global shareholder actions, you’re looking at $15 million in potential liability,” the broker said.
“Do you see any indications that your own shareholders could take action against the board?” he asked.
“Not to date,” Landis said.
“You have that much in your favor,” he said. “For the time being.”
“Well, we can self-insure the $5 million on top of the policy if we have to,” Landis said.
“Sure,” the broker said. “But I can’t think of an admitted carrier who will even talk to us next year.”
“What’s an admitted carrier?” Landis said.
“It’s a carrier who’s not going to charge you your right arm in premium,” said the broker.
No longer fantasizing about a rosy retirement, Landis wonders how long he’ll have a job.
Risk & Insurance partnered with Aon to produce this scenario. Below are Aon’s recommendations on how to prevent the losses presented in the scenario. These lessons learned are not the editorial opinion of Risk & Insurance.
1. Risk management requires an open mind: Ignoring stakeholders that voice legitimate concerns carries a double-edged risk. The first risk is the magnitude of the exposure brought up by a colleague or shareholder that’s being overlooked. The second is the fact that an issue was raised publicly, thereby documenting a concern that went unheeded by management.
2. Risk by association: Operational risk is such a pressing risk for financial institutions in part because of the number and variety of business partners and clients they take on as part of their basic operation. An inadequate knowledge of the technology, practices and risk exposures of any given business partner can result in reputational and other damages should that business partner fail or incur a sizable liability.
3. Transparency: Companies that fail to properly assess their risk and report it to business partners face increasingly painful regulatory sanctions. A blunt assessment of an organization’s exposures is the first step in that process. Being forthright in communicating risk factors is the second.
4. Analyze cover: Regulatory pressures and a rapidly changing business environment necessitate that financial institutions assess their insurance coverage more frequently than ever before.
5. Risk management is a process, not a program: There is nothing static about risk management. New processes, products and distribution channels in the financial services industry mean that the nature of operational risk is changing constantly. Risk management needs to keep pace with that change or risk losing relevance and value.
5 & 5: Rewards and Risks of Cloud Computing
Cloud computing lowers costs, increases capacity and provides security that companies would be hard-pressed to deliver on their own. Utilizing the cloud allows companies to “rent” hardware and software as a service and store data on a series of servers with unlimited availability and space. But the risks loom large, such as unforgiving contracts, hidden fees and sophisticated criminal attacks.
ACE’s recently published whitepaper, “Cloud Computing: Is Your Company Weighing Both Benefits and Risks?”, focuses on educating risk managers about the risks and rewards of this ever-evolving technology. Key issues raised in the paper include:
5 benefits of cloud computing
1. Lower infrastructure costs
The days of investing in standalone servers are over. For far less investment, a company can store data in the cloud with much greater capacity. Cloud technology reduces or eliminates management costs associated with IT personnel, data storage and real estate. Cloud providers can also absorb the expenses of software upgrades, hardware upgrades and the replacement of obsolete network and security devices.
2. Capacity when you need it … not when you don’t
Cloud computing enables businesses to ramp up their capacity during peak times, then ramp back down during the year, rather than wastefully buying capacity they don’t need. Take the retail sector, for example. During the holiday season, online traffic increases substantially as consumers shop for gifts. Now, companies in the retail sector can pay for the capacity they need only when they need it.
3. Security and speed increase
Cloud providers invest big dollars in securing data with the latest technology — striving for cutting-edge speed and security. In fact, they provide redundancy data that’s replicated and encrypted so it can be delivered quickly and securely. Companies that utilize the cloud would find it difficult to get such results on their own.
4. Anything, anytime, anywhere
With cloud technology, companies can access data from anywhere, at any time. Take Dropbox for example. Its popularity has grown because people want to share large files that exceed the capacity of their email inboxes. Now it’s expanded the way we share data. As time goes on, other cloud companies will surely be looking to improve upon that technology.
5. Regulatory compliance comes more easily
The data security and technology that regulators require typically come standard from cloud providers. They routinely test their networks and systems. They provide data backups and power redundancy. Some even overtly assist customers with regulatory compliance such as the Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI DSS).
1. Cloud contracts are unforgiving
Typically, risk managers and legal departments create contracts that mitigate losses caused by service providers. But cloud providers decline such stringent contracts, saying they hinder their ability to keep prices down. Instead, cloud contracts don’t include traditional indemnification or limitations of liability, particularly pertaining to privacy and data security. If a cloud provider suffers a data breach of customer information or sustains a network outage, risk managers are less likely to have the same contractual protection they are accustomed to seeing from traditional service providers.
2. Control is lost
In the cloud, companies are often forced to give up control of data and network availability. This can make staying compliant with regulations a challenge. For example cloud providers use data warehouses located in multiple jurisdictions, often transferring data across servers globally. While a company would be compliant in one location, it could be non-compliant when that data is transferred to a different location — and worst of all, the company may have no idea that it even happened.
3. High-level security threats loom
Higher levels of security attract sophisticated hackers. While a data thief may not be interested in your company’s information by itself, a large collection of data is a prime target. Advanced Persistent Threat (APT) attacks by highly skilled criminals continue to increase — putting your data at increased risk.
4. Hidden costs can hurt
Nobody can dispute the up-front cost savings provided by the cloud. But moving from one cloud to another can be expensive. Plus, one cloud is often not enough because of congestion and outages. More cloud providers equals more cost. Also, regulatory compliance again becomes a challenge since you can never outsource the risk to a third party. That leaves the burden of conducting vendor due diligence in a company’s hands.
5. Data security is actually your responsibility
Yes, security in the cloud is often more sophisticated than what a company can provide on its own. However, many organizations fail to realize that it’s their responsibility to secure their data before sending it to the cloud. In fact, cloud providers often won’t ensure the security of the data in their clouds and, legally, most jurisdictions hold the data owner accountable for security.
Risk managers can’t just take cloud computing at face value. Yes, it’s a great alternative for cost, speed and security, but hidden fees and unexpected threats can make utilization much riskier than anticipated.
Managing the risks requires a deeper understanding of the technology, careful due diligence and constant vigilance — and ACE can help guide an organization through the process.
To learn more about how to manage cloud risks, read the ACE whitepaper: Cloud Computing: Is Your Company Weighing Both Benefits and Risks?