KrebsOnSecurity.com reported recently that “a business telephone equipment company in Texas is trying to force its bank to settle a liability claim over an attack by organized cyber thieves last year that cost the company $50,000.”
This is a common story which we continue to write about. [See many of our postings under the tag: Financial Systems Security.]
The unfortunate truth [as we wrote in an earlier blog] is that banking laws put the responsibility for cybercrime losses onto the customer. If the customer wants the bank to reimburse it for the fraud losses, it’s up to the customer to prove that the bank’s security procedures are not commercially reasonable [as that phrase is defined in the Uniform Commercial Code, Article 4A-202]. The result, all too often, is that the customer has little choice but to sue the bank. [See our blog post, for example.]
The good news: There’s a very good chance the bank’s procedures fail the test of commercial reasonableness. In an analysis of a bank whose customer lost $600,000 when cyberthieves uploaded fraudulent payroll databases, our firm found significant technical, procedural and managerial weaknesses in the banks security procedures. These weaknesses were so egregious that they left us no alternative to the conclusion that the bank’s security procedures were not commercially reasonable.
The bad news: The cost of proving the bank’s procedures are not commercially reasonable [so that the bank will share in the responsibility for the loss] is huge. I have no idea of the legal fees involved but I do know that fees for expert analysis do not come cheap. Consequently most organizations will not have the deep pockets to sustain a lawsuit, particularly under the cash flow pressures that will inevitably follow a large loss.
That’s why Citadel continues to recommend that every organization discuss cybercrime insurance with their insurance broker. As Brian Krebs wrote in his blog KrebsOnSecurity.com “cyber theft insurance can be a reasonable and effective investment in an era when ultra-sophisticated cyber thieves increasingly are defeating the security that surrounds many commercial online banking accounts.”