A Credit Union’s Liability After a Hack

It seems that almost every day we hear about another possible cyber-attack or threat to financial institutions. The announcement that the hacking group Anonymous was planning a May 7 Distributed Denial of Services (DDoS) attack against a number of large financial institutions is a perfect example of this. While the attack never came to fruition, it was the source of a number of headlines and caused financial institutions to commit resources to prepare.

Hacktivist groups like Anonymous are focused on garnering the headlines. They might get a headline in the local paper if they shut you down, but make the national nightly news if they shut down one or more major multi-national financial institutions.

Other recent studies have found that the Hacktivists groups are becoming the best friends of the true criminals who are attempting to steal valuable information from you. While you are focusing resources on the DDoS attack, the true criminals are trying to hack into your system via other channels or using tools like Advanced Persistent Threats (APT).

But what happens if the attack or loss of information happens on your member’s side? If it is a commercial account that is hacked, who is responsible for the loss? A couple of recent court rulings have found that even though the impacted banks had security protocols in place, they weren’t utilizing them in a manner that was considered “commercially reasonable.” In those cases, the courts ruled against the banks.

In the case of PATCO Construction Inc. against Ocean Bank, the court found against Ocean Bank for over $300,000 of unrecovered funds. In this case hackers had used malware to steal the logon credentials to access PATCO’s commercial accounts at Ocean Bank. They then initiated almost $600,000 in fraudulent wire transfers. While Ocean Bank did have several controls installed to meet the 2005 FFIEC Authentication in an Internet Banking Environment, the controls that were chosen were not used effectively, the court ruled.

This serves as a reminder to credit unions to continually reevaluate the security you provide your members. One of the major points in the 2011 FFIEC update to Authentication in an Internet Environment is that financial institutions should continually evaluate their protocol to ensure they are managing their risks and ensuring that fraudulent transactions are being stopped.


Questions? Contact the Compliance Hotline: 1.800.546.4465, compliance@nwcua.org.

Posted in Around the NW, Community Impact, Compliance News, Industry Insight.