August 29, 2014 at 4:01 pm

Next U.S. bank bailout could come after a cyber-terror attack

Bankers and U.S. officials have warned that cyber-terrorists will try to wreck the financial system’s computer networks. What they aren’t saying publicly is that taxpayers will probably have to cover much of the damage.

Even if customers don’t lose money from a hacking assault on JPMorgan Chase & Co., the episode is a reminder that banks with the most sophisticated defenses are vulnerable. Treasury Department officials have quietly told bank insurers that in the event of a cataclysmic attack, they would activate a government backstop that doesn’t explicitly cover electronic intrusions, two people briefed on the talks said.

“I can’t foresee a situation where the president wouldn’t do something via executive order,” said Edward DeMarco, general counsel of the Risk Management Association, a professional group of the banking industry. “All we’re talking about is the difference between the destruction of tangible property and intangible property.”

The attack on New York-based JPMorgan, though limited in scope, underscored how cyber-assaults are evolving in ferocity and sophistication, and turning more political, possibly as a prelude to the sort of event DeMarco describes.

Not simply an effort to steal money, the attack looted the bank of gigabytes of data from deep within JPMorgan’s network. And bank security officials believe the hackers may have been aided by the Russian government, possibly as retribution for U.S. sanctions over the Ukraine war.

A worst-case event that destroyed records, drained accounts and froze networks could hurt the economy on the scale of the Sept. 11, 2001, terrorist attacks. The government response, though, might be more akin to the 2008 credit meltdown, when the Federal Reserve invoked “unusual and exigent circumstances” to lend billions of dollars.

The government might have little choice but to step in after an attack large enough to threaten the financial system. Federal deposit insurance would apply only if a bank failed, not if hackers drained accounts. The banks would have to tap their reserves and then their private insurance, which wouldn’t be enough to cover all claims from a catastrophic event, DeMarco and other industry officials said.

Janet Napolitano, the secretary of the Homeland Security Department until August 2013, warned in her valedictory speech that the country will someday suffer a cyber-Sept. 11 “that will have a serious effect on our lives, our economy, and the everyday functioning of our society.”

Wall Street banks, brokerages and other companies have grown increasingly concerned as well. It’s just a matter of time before nation-states or terrorist groups aim to “destroy data and machines,” the industry’s biggest lobbying group wrote in a June 27 internal document.

Hackers burrowed into JPMorgan and siphoned off gigabytes of information, including customer account data, according to two people familiar with the lender’s investigation, who asked not to be identified. JPMorgan is taking additional steps to safeguard data and is working with government authorities to determine the scope of the assault, said Patricia Wexler, a spokeswoman for the bank.

Discussions about the government’s role in cleaning up after a catastrophic cyber-assault have centered on the Terrorism Risk Insurance Act. States are also pressing Washington to clarify how the Stafford Act, the main statute for relief from natural disasters, would factor in.

The insurance law, enacted after the 2001 attacks, authorizes the government to provide financial support for insurance companies in the wake of terrorism. It is up for renewal this year. Under TRIA, insurers cover a fixed amount of losses from terrorist attacks with the government backstopping additional costs up to $100 billion.

As recently as last year, insurers were pressing Congress to add language about cyber-attacks to the reauthorization bill. The industry has dropped that request for political reasons, said Mark Calabria, director of financial regulation studies at the Cato Institute and a former congressional staffer.

The industry’s most costly cyber-events have been thefts, such as a $40 million debit card break-in at an unnamed financial institution that U.S. regulators reported in April. In some cases, banks and depositors have been fighting in court over whose security breach was responsible for the hack.

The next wave of attacks probably will be more destructive and could result in “account balances and books and records being converted to zeros,” according to the June document from the Securities Industry and Financial Markets Association. Lawrence Mirel, a former insurance commissioner for the District of Columbia, said that without precedent it’s difficult for insurers to estimate the possible damage.

“Nobody has really been able to define what cyber-terrorism risk is,” said Mirel, now a partner at Nelson Levine de Luca & Hamilton LLC. “So even the companies that are offering these policies don’t entirely know what they are covering.”