The US and the UK announced that they will conduct a banking war games exercise right after the International Monetary Fund annual meeting that just concluded. Banking regulators are seeking confirmation that they have implemented adequate safeguards to prevent another “too big to fail” dilemma. Their resolve is fostered by the painful and costly bailouts of 2008 and 2009 where the US loaned 4.5% of is national income to banks and the UK loaned 10.5% of its GDP. So far the US lending has been repaid, but UK’s has not.
The UK and US will each run a scenario involving a serious financial problem at a major bank and its offshore affiliate. During 2008-2009, Wall Street and bankers held too much low quality mortgage debt, and some fraudulently burnished their financial statements. Lehman Brothers exhibited both problems. While US government elected not to bail out Lehman, it subsequently used $800 billion to bail out or fortify other large banks it considered “too big to let fail.”
Banking has a history of inadequate safeguards against insider misbehavior. In 2008, Jerome Kerviel at Societe Generale lost $6.9 billion of that bank’s money. In 2011, Kewku Adoboli lost $2.3B of UBS’s money; and twenty years earlier, Nick Leeson lost $1.9B of Barings Bank’s money pushing Barings into bankruptcy. All three are examples of lone rogue traders who invested unwisely in volatile stock index futures. When bank cash-flow safeguards are inadequate or are disabled, money can flow out the door at a torrid pace into stock or bond index futures.
If a nation state placed malicious software into a bank’s trading desk and transaction limit controls system, it could expose the bank to rogue trader-like losses on a grand scale. Ironically, in the past few months there have been a rash of cyber-attacks against 10 large US banks where Trojan horse software was placed into their IT systems. The Trojan software is awaiting further instructions and evidence suggests it is from Russia. There has been no confirmation whether the Kremlin or Russian gangsters are behind those attacks, and culpability may not matter.
It is unclear whether the victim banks have identified all of the software left behind in those cyber-attacks and we may never know the degree to which their security is being bolstered by Homeland Security in its Critical Infrastructure Protection programs.
Regardless of those details, we should be concerned. Cyber-attacks on banks have the prospect for far greater and quicker-felt damage to the economy than conventional credit card hacking at retailers such as Target or Home Depot.
A year ago in London, UK banking authorities held a cyber-attack war game for the financial sector. Earlier, a cyber-attack had caused a $1.3 billion loss at an unidentified UK bank. That may have sharpened banker’s interest in the London war game. While this session was brief, it likely increased inter-bank cooperation going forward.
London’s cyber-attack war game shows that some financial regulators are starting to take cyber-attacks seriously. The post-IMF banking war game may be helpful in reassuring ourselves that we can withstand a sophisticated cyber-attack on banks. Answers on the better known issue of “too big to fail” are likewise welcomed. Both answers would be timely.
Alan Daley is a retired businessman who writes for The American Consumer Institute Center for Citizen Research