How to make the banks paranoid about security?

(Cross posted from my Financial Markets Blog)

All online businesses are highly vulnerable to hacking, but the business response to this threat ranges from paranoia to complacency. Banks are among those that are most complacent, and there is a lot that regulators can and should do to change that.

Let me start with an example of a paranoid online business – online pornography. A few days ago a distributed denial of service attack on a large DNS server took down several major websites including Twitter, Spotify, Reddit, Etsy, Wired, and PayPal. While these giants tottered, adult entertainment sites like withstood the attack. The secret was DNS redundancy; to bring down, you would have to take down several DNS servers, not just one. Or consider another example: Wikileaks whose total security budget might be a rounding error for many large banks. Wikileaks has angered some of the most powerful nation states in the world, but the only disruption that Wikileaks has suffered is Ecuador cutting off the internet lines to its founder Julian Assange who is holed up in the Ecuadorian embassy for several years now. Wikileaks claims to have activated contingency plans and its twitter feed has continued to be very active.

Compared to these organizations that run their websites as a serious activity, banks come across as utterly complacent and casual about computer security. Let me give a few examples:

  1. My internet banking passwords are among my weaker passwords not because I am careless, but because most banks do not allow me to use high quality passwords. To combat Moore’s law, I have been increasing my default password length every year or so, and now this default length exceeds the maximum allowed by most banking sites in India. Most banks also disallow various special characters that my random password generator produces by default.

  2. A few days ago it was reported that over three million Indian debit cards had been compromised but the breach was not detected for several weeks. Many banks have tried to turn this into a business opportunity by discouraging their customers from using ATMs of other banks. If some banks are running vulnerable ATMs, they must be publicly identified and their ATMs must be shut down promptly and ruthlessly. A general discouragement of other bank ATMs only helps each bank to save on interconnect charges.

  3. Anecdotal evidence suggests that banks are extremely reluctant to disclose or correct vulnerabilities detected by their own security audits due to fear that it might hurt their business. They find it cheaper to compensate the few customers who do complain loudly enough. Most customers are neither knowledgeable enough to complain, or vociferous enough to succeed.

In banking regulation, there has been a progressive shift towards considering systemic (also called macro-prudential) risks rather than the idiosyncratic risk of failure of a single bank. This lesson has to be applied to cyber risks as well. A breach in any bank opens up a threat surface for the entire interconnected financial system. The regulatory response to the breach must not be based on the loss to the bank in question; it must consider the risks posed to the entire system.

This means that failure to disclose breaches must be punished a lot more severely than the actual breach itself. Undisclosed breaches pose huge systemic risks because of the difficulty of defending against the unknown enemy. For India, I would think that an appropriate calibration of the penalty would require that the fine for unreasonable delay in disclosing a breach affecting a million customers should amount to approximately one year’s cyclically adjusted profits of the entire banking system.

A couple of such large fines would shake the banks out of their complacency and induce a healthy dose of paranoia in the banks. It would also shift the cost benefit analysis towards investing more in security. Perhaps they will hire some personnel from organizations like who are demonstrably better at running an online business. As Andy Gove wrote in Only the Paranoid Survive:

You need to plan the way a fire department plans: It cannot anticipate where the next fire will be, so it has to shape an energetic and efficient team that is capable of responding to the unanticipated as well as to any ordinary event.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s