Lucky Bank's problems started harmlessly. An employee opened a Word document emailed by a purported job applicant.
Before long, private messages were revealed, customers at Lucky and competing banks lost money, and Visa cut off access. There was unwanted attention from federal officials, plaintiff lawyers and even state attorneys general. An aggressive reporterdesperate for a storyhounded the bank with questions.
The underlying answer to most of the questions was simple: The bank hadnt prepared for a nightmare like this.
This crisis was not real and neither is the bank. It was a simulation, designed by the American Bankers Association and performed by professionals at recent ABA conferences, intended to help institutions think through how they would deal with scenarios that are increasingly plausible.
How could you have made up the Sony Pictures attack, asked Doug Johnson, senior vice president and chief advisor at the ABA, opening the panel simulation at the trade groups recent risk management forum.
Indeed, Lucky Banks breach had similarities with the real-life cyberattack of the movie studioallegedly by North Korea. The suspected perpetrator in the simulation was an Iranian paramilitary group, perhaps with government ties. The $10 billion-asset bank was targeted because of its location near a U.S. base, from where overseas drone strikes are launched.
In the ABAs scenario, the breach, connected to one email sent to human resources, infected multiple systems. Initially, customers reported unauthorized withdrawals from locations in North America and overseas. Then, it became clear hackers had compromised the banks email system; private messagesincluding between loan officers disparaging the credit record of the base commanderwere publicized.
Customers complained when, after Visa suspended the banks debit cards, they could not access their accounts. But the hack took on a more systemic nature when other banks complained of customers losing funds after they had used Lucky Banks ATMs.
Johnson said the potential for a hackers entry into one data location to affect other areas of the bank should force institutions to think about whether linking up systems is a good idea.
What Sony showed us is there may be any number of different ways an institution is being attacked at the same time simultaneously by the same perpetrator, he said. Segregation of systems and understanding where systems are intertwined where they shouldnt necessarily be intertwined is important.
In the simulation, during which panelists portrayed the banks executives but also shared real-life wisdom, the level of information the bank divulged publicly was a constant issue. A local reporterplayed by a real-life crisis communications advisorwas relentless in getting information without concern for the banks reputation.
When the banks chief executive played by Linley Abbott, operational risk manager at FirstMerit Bank in Akron, Ohiosaid he would rather comment later after the bank had determined more about the breach, the reporter dug in.
There is no later time. We post [stories] on a regular basis. If you can give me somethingprecautions youve taken, regulators you have to notifythat would be great, the reporter, played by Merrie Spaeth, of Spaeth Communications in Dallas, said. Otherwise Ill be posting my account now, with a few pictures of the outside of the bank and your sign, saying you wouldnt comment.
Panelists said that there is a tricky line to walk in developing a public message during the crisis to assuage concerns from customers but still not divulge information prematurely. Institutions would normally have prepared a somewhat generic statement beforehand to release to the public that would instill a little bit of confidence that were working on the issue, said LeAnne Staalenburg, senior vice president of Capital City Bank in Florida, who played Lucky Banks chief information security officer.
Our responsibility is first to our customers, not to our reputation, said Abbott.
Nathan Taylor, a partner at Morrison & Foerster, who played the banks general counsel, said the institution should be mindful of not overstating publicly our degree of confidence.
We want to maintain customer confidence but we also dont want to be making prospective statements or statements without reasonable basis, he said.
Spaeth warned that the bank in this situation risks worsening the situation by being too closed. At one point in the simulation, the reporter has tweeted about the bank and hundreds of messages about the breach are circulating through social media.
Somebody needs to respond and say something, Spaeth said. Maybe not a lot, but something. If you just leave them sitting out there, theyre going to build on each other and are going to viral.
Banks in this situation should also not be blind to how the press can help them, she said. As reporting about crises these days is instantaneous, she noted, in addition to critics there would likely be customers expressing their faith in the bank to do right by them.
They will become your proxy ambassadors, she said.
Eventually in the ABAs scenario, the bank brings in an outside forensics team to determine the extent of the breach. In addition to federal bank regulators, the institution has also been in touch with the Secret Service, Pentagon and FBI to help investigate the origins of the hack.
Fallout continues to spiral. A plaintiff law firm looks at pursuing a class action suit against Lucky, and the bank starts hearing from attorneys general in other states. The bank eventually decides to use coverage from an insurance policy for cyber-related problems to pay for two years of credit monitoring for customers at risk of identity theft.
Meanwhile, complaints from customers are climbing. Accountholders are worried not only about unauthorized withdrawals but also the inability of service members to access accounts while deployed overseas because of the denial of Visa service.
My son is still trying to buy milk in Germany, said Sidney Chip Corbett, who played the base commander and in real life is first vice president of Hoyne Savings Bank in Chicago.
The panelists said having infrastructure to be able to expand the reach of customer service call centers is important. Were bringing in [temporary staff] to help, said Abbott, playing the CEO. IT is working on setting up more lines to increase capacity. Weve sent people to a backup recovery site where they have available phones and access to systems and screens, he said.
Were doing the routing necessary in order to try to deal with the influx of calls weve received from clients so the management in the organization can concentrate on trying to get to the bottom of the breach and the damage thats been done.
Joe Adler is the deputy Washington bureau chief of American Banker, a sister brand to Bank Investment Consultant.
- White House Pushes Industry on Cyberthreat Data Sharing
- SEC, FINRA Warn on Cybersecurity
- Data Breach? Don't Make This Mistake
- Next ICBA Chair Wants Broad Cyber Regs - for Other Industries