Businesses Bite Down Hard on Cyber Hack Losses
With scarce legislation out there intending to stop it, to what extent should cyber fraud be the banks' problem?
In the new era of heists, cyber criminals and hacktavist groups wield malware instead of firing shots in the air, move through fiber optics and mainframes instead of donning masks and keeping the getaway car running. And unfortunately for small businesses and consumers, weak legislation and vague contract language often give banks leeway to duck responsibility for recouping cyber hack losses. These hacks can incur high costs for small to medium businesses (SMBs), who, according to Bloomberg, are losing $1B a year to cyber fraud. Internet Security Awareness Training (ISAT) firm KnowBe4 hits at these businesses' unique vulnerability: "SMBs are notorious for lack of security procedures...and companies simply do not have legal protection...so they are forced to absorb the losses."
It certainly takes two to tango, but there are very few existing legal decisions that address what responsibility a bank has to protect its customers. A whole crop of lawsuits has risen out of this ambiguity, with banks suing their clients and clients counter suing. Results vary on who's truly responsible. In one recent case, the court ruled the bank was at fault; in another, the client was to blame.
Hillary Machinery, an equipment distribution company, is all too familiar with how much damage these malicious cyber succubi can do. Back in 2009, Hillary Machinery lost $801,495 in a matter of two days, when cyber crooks utilized an infamous Trojan Horse software, ZeuS, which swiped the company's online banking passwords. The crooks then initiated the transfers, sending the funds to money mules who then laundered the booty to Eastern Europe. Hillary Machinery alerted the fraud to its bank, PlainsCapital, who was then able to recoup $600,000 through the FedWire Funds Transfer System, leaving $200,000 outstanding. Hillary Machinery then wrote a letter to PlainsCapital, stating that their internet banking system "failed to employ commercially reasonable security measures" and that the bank was "responsible for all unrecoverable monies." PlainsCapital retaliated and sued its customer in federal court, alleging that its security procedures were "commercially reasonable" and that they accepted the wire transfers on "good faith." There's no clear definition on what constitutes a commercially reasonable transfer, and according to Richard Engel, a cyber fraud expert and lawyer at Mackenzie Hughes LLP, it's determined on "a case by case basis."