Businesses Bite Down Hard on Cyber Hack Losses

<a href="http://plaidklaus.blogspot.com/2010/04/video-inking-cartoon-on-lightbox.html">Klaus Shmidheiser </a>/Flickr

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.


In the new era of heists, cyber criminals and hacktavist groups wield malware instead of firing shots in the air, move through fiber optics and mainframes instead of donning masks and keeping the getaway car running. And unfortunately for small businesses and consumers, weak legislation and vague contract language often give banks leeway to duck responsibility for recouping cyber hack losses. These hacks can incur high costs for small to medium businesses (SMBs), who, according to Bloomberg, are losing $1B a year to cyber fraud.  Internet Security Awareness Training (ISAT) firm KnowBe4 hits at these businesses’ unique vulnerability: “SMBs are notorious for lack of security procedures…and companies simply do not have legal protection…so they are forced to absorb the losses.”

It certainly takes two to tango, but there are very few existing legal decisions that address what responsibility a bank has to protect its customers. A whole crop of lawsuits has risen out of this ambiguity, with banks suing their clients and clients counter suing. Results vary on who’s truly responsible. In one recent case, the court ruled the bank was at fault; in another, the client was to blame.

Hillary Machinery, an equipment distribution company, is all too familiar with how much damage these malicious cyber succubi can do. Back in 2009, Hillary Machinery lost $801,495 in a matter of two days, when cyber crooks utilized an infamous Trojan Horse software, ZeuS, which swiped the company’s online banking passwords. The crooks then initiated the transfers, sending the funds to money mules who then laundered the booty to Eastern Europe. Hillary Machinery alerted the fraud to its bank, PlainsCapital, who was then able to recoup $600,000 through the FedWire Funds Transfer System, leaving $200,000 outstanding. Hillary Machinery then wrote a letter to PlainsCapital, stating that their internet banking system “failed to employ commercially reasonable security measures” and that the bank was “responsible for all unrecoverable monies.” PlainsCapital retaliated and sued its customer in federal court, alleging that its security procedures were “commercially reasonable” and that they accepted the wire transfers on “good faith.” There’s no clear definition on what constitutes a commercially reasonable transfer, and according to Richard Engel, a cyber fraud expert and lawyer at Mackenzie Hughes LLP, it’s determined on “a case by case basis.”

Unfortunately for small businesses, banks are under no obligation to reimburse commercial accounts of cyber fraud. “It’s the way the law is written, or not written for that matter. Regulation E covers bank liabilities for consumer accounts, but that doesn’t extend for business accounts,” Michael Benardo, the chief of the FDIC’s Cyber Fraud and Financial Crimes department, told Mother Jones. Greg Hassell, a spokesman for JPMorgan Chase, says they’ll cover hacks sometimes: “If there is fraud on an account, we work with our clients on a case-by-case basis.”

It’s not just small businesses at risk; schools, churches, and even the town of Poughkeepsie, NY, are some of the most recent targets of cyber fraud. Senator Charles Schumer (D-N.Y.) recently introduced an amendment to Regulation E that would give municipalities and school districts the same level of protection as consumers. Yet there’s substantial push back—the American Banking Association has come out against it, claiming it will dissuade banks from taking on these smaller businesses and nonprofits because of the heightened risk associated or it’ll put the kibosh on the whole online banking system. Troy Owen, Vice President of Sales at Hillary Machinery, told GovInfoSecurity, “Banks in general aren’t going to spend the money to install protections for accounts they are not mandated to protect,” which includes SMBs.

Another senate bill making the rounds, the Personal Data Privacy and Security Act of 2011, moves to enforce criminal penalties on anyone who intentionally or willfully conceals a data breach. This bill doesn’t explicitly impact the bank vs. customer relationship, but it does strike a bold move toward a more unified standard against cyber hacking.

Prospects for better protection look dim. According to a recent poll by Fundtech that surveyed nearly 100 banking executives from over 50 US financial institutions, two-thirds believe that the industry will never be able to get cyber crime problem under control. 79 percent think that only a small fraction of their business client base understands their liability. Engel told Mother Jones, “banks have a heightened responsibility to ensure that their security procedures protect their customers. At the same time, businesses need to start communicating with their banks and understanding what the security procedures are and how they are protected, because most customers are truly unaware.” Maybe clients also need to end the trigger happiness and stop clicking shady links. These are optimistic suggestions, since it’s incumbent on both sides to do the leg work and protect their cheese. If not, hackers will keep moving it.

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate