DDoS attacks have been confirmed that have taken down two credit unions and several large banks’ websites. It’s been proven our entire financial system is vulnerable. While stealing personal information doesn’t seem to have been at play, this is a critical concern for the entire financial services industry. The two confirmed, targeted credit unions were able to get their sites back up in a few hours, which is excellent news. Consider for a moment if these attacks had not been one offs, but a coordinated and concerted effort to take down the U.S.—or even global—banking system. It’s not difficult to imagine, raising grave safety and soundness and national security concerns.
If this sounds far-fetched, you’re wrong. In 2007 the Estonian government was forced to shut down all access to government websites from IP addresses outside of Estonia when rioting spread from the streets to the virtual highway, according to arstechnica.com. Estonia claimed that the DDoS attack came from Russian government IP addresses. The New York Times website was reportedly attacked by the Chinese government for a period of four months, and it has allegedly gone after other news sites reporting negative news about the government. Cyber warfare with countries, like Iran, where the group taking credit for the DDoS attacks on the credit unions are from, wouldn’t be bloody but it could be costly, which could turn bloody.
Meanwhile the Federal Financial Institutions Examination Council is dilly-dallying with consumer disclosures in social media. This is heart-stoppingly out of touch considering the recent cyber attacks. I will state upfront that I have no idea how to prevent a DDoS attack or repairs needed after the fact. I do recognize the need to address this matter promptly as opposed to making sure CD account offerings via Twitter include the appropriate federal deposit insurance logos.
Suppose the targeted credit unions were not billion-dollar institutions, but instead hundreds of smaller financial institutions that might not have the resources. Imagine millions unable to access their accounts online from various institutions around the world for days at once. The result: Loss of confidence in the banking system.
Part 748.1 of the NCUA regs states: “Each federally insured credit union will notify the regional director within five business days of any catastrophic act that occurs at its office(s). A catastrophic act is any disaster, natural or otherwise, resulting in physical destruction or damage to the credit union or causing an interruption in vital member services…projected to last more than two consecutive business days. ”
The breach has to last two days before it’s significant, and even then credit unions are given five days to report it. An unbelievable amount of damage could be wrought in that amount of time regarding reputational and other types of risk that pack a punch to safety and soundness.
But instead of addressing this primary security issue, the regulators want to make sure financial institutions’ Facebook pages include TILA disclosures and don’t violate UDAP.
Consumer protection is not a bad goal, but strategically choreographed DDoS attacks could lead to mass hysteria. Legislation was introduced to allow students relief in bankruptcy proceedings for student loan debt. Senator Durbin assailed private student lenders as the government’s student loan portfolio is deteriorating, which Bloomberg reported.
And Fannie Mae and Freddie Mac, which fueled the flames in the housing crisis, want to allow principal forgiveness on certain mortgages. Michigan First FCU CEO Michael Poulos responded to the news, that, “Aside from bankruptcy, which is adjudicated within strict legal guidelines and is subject to legal challenges from all the parties (particularly lenders), there has never been any aspect of the borrowing process whereby a borrower could simply claim a certain life circumstance and be relieved of a debt obligation.” He continued that such a move would negatively impact loan pricing and dry up credit.
To be able to do this, they likely will have to charge lenders a premium. When lenders’ costs go up, they make up the difference from borrowers. The government is simply taking a slice as the middleman.
If this administration is truly concerned about consumer protection, stop the DDoS attacks. That will provide consumers greater peace of mind than adding more disclosures and costs to already cumbersome financial transaction processes.