Sarah Wheeler discusses the sad case of a Brazilian bank that suffered what might be every bank's worst nightmare: "a comprehensive takeover" in which hackers "changed the DNS [Domain Name System] registrations of all 36 of the bank’s online properties, commandeering the bank’s desktop and mobile website domains to take users to phishing sites." To put a cherry on top, the takeover "was undetectable by users."
The hijack lasted for at least five hours, allowing the cyber criminals to steal not just banking logins, but also install a Trojan horse that gathered email and FTP credentials as well as contact lists from Outlook and Exchange.
[I]t’s possible that the attackers could have harvested hundreds of thousands or millions of customers’ account details not only from their phishing scheme and malware but also from redirecting ATM and point-of-sale transactions to infrastructure they controlled.
Upon learning of the length, breadth, and depth of the attack, I'm sure senior bank executives at the unnamed Brazilian bank ordered a case of Pepto-Bismol and buffed up their resumes.
The attack was launched by vulnerabilities not in the bank's own technology, but in those of third party vendors "who ran the DNS system."
This blip on the blogging radar screen has yapped for years about the need for banks to not only treat their agreements with their third party technology service vendors seriously, but to bargain hard during contract negotiations to make the vendors step up to the plate and accept as much contractual liability as you can squeeze out of them for those instances in which the bank and/or its customers suffer loss because of the acts or omissions of the vendors. Lying supine during contract negotiations while vendors do wheelies over your prostrate carcass can come back to bite you in the nether regions after the agreement is inked. When bad things actually happen is a poor time to consider whether liability and damages caps, limits and exclusions in an agreement adequately protect the bank and its customers from harm. It's during the courtship phase when the object of affection's leverage is greatest, not after the vendor has had its way with you.
Wheeler mentions OCC Bulletin 2013-29, 2012 CFPB guidance (and more recent CFPB enforcement actions), and New York State's 2017 cyber security risk regulations as examples of the recent concern of regulators for the vulnerability of financial institutions to bad actors acting through the institutions' vendors. However, that concern is not new. For example, Bulletin 2013-29 is a reworking of a 2001 OCC Bulletin (2001-47), and the federal bank regulators have been concerned for the past two decades and more about risks posed by banks' technology vendors. The concern is not new and it doesn't take a rocket science to address the risks. Still, so many financial institutions fail to limbo under the high bar.
As late as 2015, one out of three banks didn't even require vendors to report that they had experienced a data breach. That's a far cry from the requirements that NYDFS laid out, which are certain to be adopted by other regulatory bodies as well.
It's also a far cry from the federal banking agencies' guidance, which required notice of data breaches long before such a requirement was even a gleam in New York's eye.
There's been a lot of talk recently about federal financial regulators, especially the CFPB, "regulating by enforcement action." Much of the criticism has merit, particularly when the action that allegedly runs afoul of the law is not clear. However, initial and ongoing vendor due diligence and monitoring, and exercising a financial institution's right to bargain for contractual liability that adequately protects the bank from damages it and third parties suffer if bad people do bad things through the vendor's systems or technology, ought to be, by now, something banks from big to small are on top of. Those who continue asleep at the wheel arguably ought to be slapped upside the head. With a large canoe paddle. Wrapped in barbed wire.