As we mentioned in a previous post, banks and other financial institutions do not appear to invest sufficiently in the robustness and security of their IT and systems; and senior management often lacks sufficient understanding of their institutions risks and vulnerabilities in that area. Yet banks, in particular, perform a critical function in any developed society as repositories of wealth (in the form of deposits) and the core of national and global payment systems. In that sense they are, as is often argued, critical utilities and should be regulated as such.
And as with “normal” utilities, such as power generators, pipelines and electricity grids, financial utilities are vulnerable, not only to operational failures caused by human error or poor maintenance, they are also extremely vulnerable to “hacking” and other forms of cyber-attack- a fact that should be cause of deep concern and intensive study by the (re)insurance industry for which “cyber covers” are supposedly “the next big thing”.
We suspect that many people think that attacks on banks are still made by “hackers”, out to burnish their reputations; by anti-capitalist collectives such as Anonymous; or by internal or external “opportunists”, who come across a vulnerability or weakness and exploit it before it is addressed.
Would that it were so.
In fact, the future of banking is becoming very much one of an “arms race” between the banks and their regulators, and an array of criminal enterprises run as businesses with the express intent of extracting as much “rent” from a quasi-monopolistic source- because that is where the money truly is! And not only that: such enterprises are often based in a physical sense (infrastructure and key personnel) in jurisdictions that protect them and benefit from their “work”, almost as if they had provided the equivalent of old-fashioned Lettres de Marque. There is more than one way of being a Private Military Contractor.
And these criminals (or, perhaps, PMCs) are in no sense stupid, or irrational. They exploit both human weakness and system vulnerabilities, as well as the complexity of modern banking, to create value for themselves at the expense of banks and their legitimate customers; but in ways that do not de-stabilize the system as a whole. What they do is in, every sense, a zero-sum economic act; but it would be foolish of those involved to become too greedy and destroy the source of their “wealth”.
So, in an environment in which many global banks are drastically reducing headcount by laying-off tens of thousands of workers, including many who will undoubtedly know how to exploit the systemic weaknesses of their soon-to-be-former employers, one suspects that the criminal networks are already seeking ways in which to reach out to the desperate and the disgruntled and “employ” them to steal from or extort their former employers. An analogy might be the concerns, following the collapse of the Soviet Union, about what a cadre of scientists might do with their knowledge of nuclear weapons technology and their former state employers security and control systems.
At Awbury, therefore, while understanding the enthusiasm of many in the (re)insurance industry for providing cyber-covers to generate premia in books of business that have been stressed by the decline in NatCAT revenues, we would be very cautious in terms of whether underwriters of such risks understand the extent to which the risks they are covering may not be quite all they appear to be; and we would want to be very sure that the terms, limits and loss triggers for such business were tightly worded; and that aggregations of risk to what may well be complex, inter-connected networks, with significant correlation, are properly understood.
– The Awbury Team