UK-based Tesco Bank froze online transactions on Monday after discovering that cyber-criminals stole money from 20,000 different customer accounts. The exact method used by the perpetrators is still under review, but preliminary analysis suggests the attackers exploited weaknesses in the bank’s online payment system related to the processing of debit card transactions. The Bank has not disclosed exactly how much money was stolen, only stating that the amount is “a big number but not a huge number.” Other notable cyber-attacks on financial institutions this year have netted criminals amounts ranging from $10 million to $81 million.
With the prospect that similar attacks may occur in the United States, U.S. financial institutions and their customers should be asking “who foots the bill when cyber-criminals make off with a customer’s money?” Tesco Bank was quick to say that it will be reimbursing customers for funds stolen from their accounts, but one can imagine a scenario in which a bank is unable to absorb the cost of such a robbery.
While bank robberies have occurred for as long as there have been banks, and modern financial institutions have operational procedures and insurance to address theft risk, theft by cyber-attack poses new challenges and risks for U.S. banks. Banks typically address theft risk through private insurance. FDIC deposit insurance is there to protect depositors in the case of bank failure.
But what if the bank’s insurance does not cover cyber theft? If a bank is unable to restore lost customer funds either through its own means or through private insurance, can FDIC insurance come to the rescue?
The answer would appear to be yes, but only in the event that a bank is completely drained of capital and on the verge of failure. And even in that case, it is not entirely clear whether FDIC insurance would be available to those depositors whose deposits were stolen.