Some time ago, I had a contract tech writing gig with Northern Trust Bank in the city. For those who may not know, Northern Trust is a bank that caters to the extremely wealthy individuals. To give you a point of example, my manager at the time and his team had a client whom had plunked in $800 million in what they call an “Anchor Deposit”. The maintenance fees were exorbitant, as they were charging this client well over $11 million per year.
Anyways, I was tasked to contribute content to what is known as the “Comprehensive Capital Analysis Review”, or “CCAR” for short. This gargantuan document, something like 5,000+ pages, that the Federal Reserve requires of the top 30 banks in the United States.
In this document, these financial institutions have to demonstrate that they will be solvent during another financial crisis like what happened back in 2008.
In order to prove this, these banks are required to run rather complex statistical tests (primarily based upon multiple regression analysis) on three types of economic scenarios ranging from baseline conditions all the way to a severely adverse economic environment.
Although I did not take part in all of this, I am proud to say that at least I contributed 80 pages to this document back in 2016, and my part covered a partial analyses of these various tests.
With this background in mind, it appears that this same approach is now being used for financial institutions all across the United Kingdom. It’s not for financial stress testing; but rather, the Bank of England and the Financial Conduct Authority (this is the UK’s equivalent to the Federal Reserve) have given British banks and other financial services firms until October 5th of this year to explain how they can mitigate damaging IT breakdowns and respond to the growing threats from the Cyber attack landscape.
Apparently, this move by the UK has been prompted by the recent fiasco at a bank known as the “TSB BANK”. Back in April the bank tried to migrate their IT systems over to a new platform when they were separated from their parent company, the Lloyd Banking Group. Customers of the TSB BANK were locked out of their accounts for well over a week, and this was blamed with flaws in the middleware system.
But, the customers at THE TSB BANK don’t buy that story at all. After this meltdown happened, THE TSB BANK of course, became a prime target for the Cyber attacker. In all, there were some 1,300 accounts that were hacked into (this alone represents an 834% increase in the total number of Cyber attacks that have occurred), and to this day, there are customers whom still cannot their access their accounts. THE TSB BANK has some five million customers, and just during this timespan alone, there have been 93,700 complaints from customers.
In fact to this date, 40% of customers are still cannot get hold of a customer service specialist in order to get access to their accounts; and if they are successful, wait times have been longer than 9 hours. WOW. All of this translates into just one out of ten calls actually being answered by a human being. THE TSB BANK said that it would refund the entire account value to customers that have been impacted, but of course, this has not happened quickly enough yet.
And there of course is now the usual finger pointing, in which the senior management and the CEO, have taken a long to accept and admit their responsibility for the situation, with the technology transfer being the prime culprit to blame. Obviously, this has left many customers of the TSB BANK Bank quite unhappy, and as a result, have totally lost faith in the British banking system. More details of what exactly transpired and more about the impacts it has left can be seen here at this link:
As a guide line for crafting their disaster recovery plans, the banking regulators in the United Kingdom have agreed that at maximum, two days is what it should take a bank or an insurance company to have the ability to recover from a Cyber attack, and have the ability to compensate affected customers.
But, if the financial institutions cannot meet the October 5th deadline, then could face severe penalties such as having increased levels of capitalization, or in other words, to use the term here in the US, bolstering their levels of reserve requirements. Of course, this is not good news for them, as this is money that could be used in making loans to customers (especially small businesses) and other types and kinds of investments.
As part of this process, it will be the C-Level Executives as well as the associated senior management whom ultimately be held not only responsible, but also accountable as well in the case of downtime if a situation like what happened to the TSB BANK Bank ever occurred again.
The nice thing though, is that, there will be a system of checks and balances put into place as these plans will be presented. This will include not only other non financial business entities, but even the impacted customers themselves will have a voice to provide feedback as well.
My thoughts on this? Honestly, I am shocked. I never even came across this news headline even when I was doing my daily blogging back then. Even after reading the initial story about this today, I had to dig deeper in order to fully understand the impact to the customer, not just from a financial perspective but also from that of a Cyber security one as well.
Honestly, it is sad to see that it takes such a catastrophic event in order to get things moving in terms of creating a plan not only for backup and recovery, but how to also thwart off any future Cyber attacks. But hey, at least something is better than nothing. Hopefully, these poor customers will be reimbursed soon, and they can move on with their lives. Perhaps the Federal Reserve should mandate a plan like this for the major US banks as well, and make that a part of the CCAR documentation process.
But, another question I have is what exactly is the two day downtime for? Is it just to recover to bare bones operation, or to fully, 100% recover and also reimburse customers as well? This will be key to answer.
In the end, despite this horrible incident, I do have an enormous amount of respect for how the British maintain their levels of security. They are probably still one of the most proactive and vigilant societies in terms of public protection, and just don’t rely upon technology to fight off Cyber attacks.