Hacking and Systemic Financial Armageddon

The revelation that 76 million JPMorgan Chase consumer accounts were compromised by hacking should be scaring the heck out of us. The Chase hacking is a red flag that hacking poses a real systemic risk to our banking system, and a national security risk as well. Frankly, I find this stuff a lot scarier than either ISIS or our still largely unregulated shadow banking space.  

Consider this nightmare scenario:  what if the hackers had just zeroed out all of those 76 million Chase accounts and wipes out months of transaction history making it impossible to determine exactly how much money was in the accounts at the time they were zeroed out? The money wouldn't even have to be stolen.  Just the account records changed.  What would happen then?

 "Not to worry," you say, "Chase's equity will make things good.  Jamie's got a fortress balance sheet."  Perhaps.  But 76 million accounts could be an awful lot of money, rendering Chase undercapitalized.  And what if Chase's equity isn't enough?

"Relax," you say, "the accounts are FDIC insured." But the FDIC can only pay insurance on account balances it can verify. If the FDIC can't determine account balances it's going to be hard to pay consumers without serious disruption.

"No problem," you say, "I've got my bank records to prove the balance." But do you? Where are they?

"On line," you say.  But that's just the bank's records, which were zeroed out.  

"Yeah, but the bank's got backup copies," you say. Well sure, I assume that account data is backed up a ridiculous number of times and that copies of the data are delinked from the Internet and stored in high-security kevlar-encrusted Fürher bunkers located under a mountain top next to NORAD. But what if the backup data has been corrupted too?  All the data protection in the world isn't going to do a lot if the data that's being protected is already corrupted. 

"Chill out," you say, "I've got my paper statements."  But those are a month old.  How probative are they of current balances?  How quickly could this get sorted out? What would happen in the interim? 

Oh," you say.  And now consider the consequences of millions of accounts getting zeroed out.  

First, those poor consumers whose accounts were affected would be in a terrible situation--they would not be able to transact or pay their bills, and a whole series of bad consequences would cascade as payroll, rent, utility, and tuition checks bounced, debit cards were denied at gas stations and restaurants, etc. Not only would this create even more trouble for the consumers, but it would also create real trouble for businesses. 

Second, there would be a run on the afflicted bank and likely on other banks because if one bank's security is suspect, all banks' security becomes suspect to consumers who cannot differentiate between bank security systems.  And no amount of federal bailout money would easily convince depositors to put their money back in the bank.  The damage to the US economy would be enormous. This is a systemic Armageddon scenario. 

I want to be clear that I am not saying it is a likely scenario. But I worry that it is possible. 

Here's the problem.  Banking is built on trust.  Depositors trust that banks will maintain accurate records of their accounts.  Historically we trusted but verified:  in paper only-days, both consumers and banks maintained copies of account records, and bank's internal records were maintained on paper.  Things like passbooks provided evidence of account transactions and balances. The system was inefficient and had its own risks:  fire and flood, for example. But those could be mitigated by storing multiple copies of records in multiple locations.  It was unlikely that millions of consumer accounts would be compromised by malicious activity.  

The past several years have seen a major shift in this paradigm. Many consumers have opted for electronic statements only, something banks pitch as good for the environment, but which is really about saving banks the costs of printing and mailing the statements. Electronic records, however, are inherently vulnerable to hacking, and the paper records consumers are never up-to-date (unless you've still got a passbook).  Hacking, whether by criminal enterprises, terrorists, or state actors poses a huge threat to the integrity and stability of our financial system. 

I don't see any great way around this problem. It seems like it inevitably devolves into an IT arms race, which banks will sometimes lose, and which is particularly bad news for small institutions that just can't amortize the costs effectively over their account base.

Now, there's a lot I don't know here about the IT security of banks. I know banks spend a LOT on security and that there are all sorts of security measures I can't even fathom. In some measure the issue for banks is all about outrunning the other guy, not outrunning the bear because the devil will take the hindmost--the weakest links will get hacked. But there's also a big target on national champions, just as there was on American and United Airlines in Al Qaeda's eyes. Plus, there's the Willie Sutton problem: hackers rob banks because that's where the money is. 

National security folks have fretted for years about the vulnerability of "the grid" to attack by terrorists or foreign powers:  we are deeply dependent upon having reliable electric power. But the financial services sector is an equally worrisome vulnerable. Think of the chaos that would ensue if Visa or DTC went down.  Indeed, one only has to look at 9/11 to recognize the risk:  with air space shut down after 9/11, our paper check clearing system broke down, and the Fed had to guarantee payment on all checks in the system. If the 9/11 attacks had hit elsewhere in lower Manhattan, the economic chaos could have been much worse. The irony is that 9/11 exposed the vulnerability of a paper-based system, and our response was the Check21 Act, allowing for image exchange of checks--a move toward a more fully electronic system. The attack on Chase should remind us that electronic systems have their own vulnerabilities. 

We live in a world of electronic money.  Hacking is the new counterfeiting.  It is a threat to the integrity of the money supply and to the economy as a whole.  Regulators need to be taking this really seriously as both a safety-and-soundness threat and a national security threat. I know that their actions in this area will not be transparent to the public, but I hope they're on top of it. There's a much greater potential threat to the US from hackers targeting financial institutions than from ISIS, barbaric though they may be. I hope our government is taking it seriously.