Bank executives have said for years that their worst nightmare is a successful cyberattack against the industry. Now they’re watching one unfold across government agencies in what could be one of the biggest hacks in U.S. history.
So far, no evidence has emerged that Wall Street was a victim of the attack, which also hit Microsoft Corp.’s systems. Still, experts say it will take many months, at a minimum, to determine the extent of the infiltration, a stark reminder of the risk that hangs over an industry that’s spent billions to bolster its defenses in recent years.
“Based on what we have seen as of today, there has not been specific focus against the financial sector, nor have we seen reports indicating negative impact amongst our members,” the Financial Services Information Sharing and Analysis Center, a network of financial firms sharing information about cyber threats, said in an emailed statement.
FS-ISAC said it’s been working around the clock with banks and its thousands of members, offering “strategic and tactical reports detailing the attack vectors and offering best practices to mitigate risk.”
Representatives of the biggest U.S. banks declined to comment on the attack, deferring to FS-ISAC.
Banks, brokers, insurers and other finance companies have ramped up spending on cybersecurity for at least four years as services move online and attacks escalate. Cyber spending jumped 15 per cent this year, according to a Deloitte & Touche LLP survey. That equates to almost US$1 billion for each of the largest U.S. banks.
The pandemic accounted for some of that increase, forcing firms to bolster defenses as staff worked from home and as more customers embraced online products and services. About 64 per cent of finance executives expect cybersecurity budgets to keep rising, a separate Deloitte survey showed.
Financial firms “have made great strides when it comes to not only preventing security attacks but also bouncing back from breaches quickly,” consulting firm Accenture said in a report. Banks “have become quite challenging to penetrate, so the ‘bad guys’ have gone elsewhere.”
Government agencies and hundreds of Fortune 500 companies are still assessing the damage done by the cyberattack, which involved code embedded in updates for a widely used network-management software made by SolarWinds Corp.
“It is a wake-up call for all,” said Haiyan Song, a cybersecurity expert who used to head security markets at Splunk Inc. “While the world has shifted to more cloud environments, software-development life-cycle management may not have been given enough attention for its security and integrity.”
The hacks highlighted vulnerabilities in Washington and beyond, even as the banking industry stays on high alert for cyberattacks. When the chiefs of the largest U.S. banks faced a grilling from lawmakers last year, State Street Corp. Chief Executive Officer Ron O’Hanley called cyber risk a “clear and present danger” that requires banks and regulators to cooperate.
JPMorgan Chase & Co. in 2014 was the subject of the largest known cyberattack against a U.S. bank at the time. Last year, a Russian hacker pleaded guilty to stealing data on more than 80 million clients of JPMorgan and other institutions that netted hundreds of millions of dollars in ill-gotten gains.
Earlier this year, Capital One Financial Corp. agreed to pay US$80 million in penalties and improve its cybersecurity to resolve probes into a 2019 hack that exposed personal financial information on more than 100 million Americans.
Still, direct cybersecurity attacks on banking and capital-markets firms fell 2 per cent last year, and actual breaches were 25 lower, according to Accenture’s latest survey of financial firms.
Despite that progress, high-profile attacks have increased public pressure and awareness in the C-suite, with banks ramping up software, personnel and information-sharing with peers. Other surveys have shown those efforts have made them more successful in blocking cyberattacks over the past few years.
An industry-led project, called Sheltered Harbor, backs up data off the grid for savings and checking accounts nationwide. The data can then be used to restore access to a hacked institution’s accounts, using another firm’s computer network. The project has been expanding slowly to brokerage accounts and other financial information to prevent disruption from cyberattacks.
“The financial system is interconnected, and adversaries are smart and relentless -– so we must continue to be vigilant,” JPMorgan CEO Jamie Dimon said in an April 2019 letter to investors.