U.S. regulators are stepping up calls for banks to better-arm themselves against the growing online threat hackers and criminal organizations pose to individual institutions and the financial system as a whole.
The push comes as government officials grow increasingly concerned about the ability of a cyber attack to cause significant disruptions to the financial system. Banks such as J.P. Morgan Chase & Co., Bank of America Corp. and Capital One Financial Corp. have been targeted by cyber assaults in recent years, including potent "denial-of-service" strikes that took down some bank websites off-and-on for days, frustrating customers. Banks have spent millions of dollars responding to or protecting against such attacks, including a wave of attempted online assaults targeting major banks beginning last year that U.S. defense officials say had the backing of the Iranian government.
The warnings reinforce the message from Washington that the private sector has primary responsibility for fending off attacks, even from groups the U.S. believes are tied to a foreign government. Some banks have bristled at the suggestion they can fend off a foreign nation and have asked the U.S. to intervene to mitigate such attacks, either by blocking the attacks or moving against those mounting them.
A banking industry official said the onus can't just be on banks to combat cyber attacks. "It needs to be collaborative; the industry can't take on foreign countries alone," the official said.
The U.S. has increasingly adopted a hard line toward firms whose systems are violated, holding companies more accountable for protecting themselves. Last year, the Federal Trade Commission filed a lawsuit against Wyndham Worldwide Corp. alleging the hotel chain failed to protect the credit-card information of its consumers. In 2011, the Securities and Exchange Commission issued guidance requiring companies to disclose to investors more details when their computer systems have come under attack by hackers.
Regulators and the banking industry are coordinating efforts to respond to the growing threat, including a major cyber "war game" exercise slated for later this month involving top regulators, the Department of Homeland Security and major banks. Organized by the Securities Industry and Financial Management Association and titled "Quantum Dawn 2," the exercise is supposed to replicate a large, coordinated cyber attack to test the industry's response.
Officials from the Treasury Department and other financial regulators have been conducting regular classified and non-classified briefings with bank officers about the increased likelihood banks of all sizes could come under attack. Treasury Secretary Jacob Lew last week met with roughly 40 executives in New York to discuss concerns, one in a series of meetings Mr. Lew has had on the topic with government and business leaders, according to the Treasury Department.
Last week, the Federal Reserve and other banking regulators formed a new "cyber security" working group to highlight the issue and better coordinate government responses. And earlier this week, the Office of the Comptroller of the Currency hosted a call with more than 1,000 community bankers, warning that cyber attacks are on the rise-particularly among small banks-as the number of potential targets expands.
"You have to think of cyber-risk as part of the other overall risks at your bank," said Valerie Abend, the OCC's senior critical infrastructure officer.
Regulators are counseling bank executives to change the way they think about cyber attacks, she said, and consider them as they do more traditional risks, such as lending and interest-rate risk, when making strategic decisions. As with regulators' recent push to step up enforcement of antimoney-laundering rules, banks are being told that they'll be judged on their preparation against cyber attacks when examiners gauge a bank's operational risk. Executives are being told to train workers on potential risks posed by hackers, and to be proactive in communicating risks to customers and employees.
The Financial Stability Oversight Council, which Mr. Lew leads, cited cyber security as one of its key "emerging threats" this year. Mr. Lew raised the issue of cyber theft of trade secrets with his Chinese counterparts on a recent visit to Beijing.
While no specific incident is behind the focus on cyber security, regulators are concerned that the number of cyber attacks spawned by increasingly sophisticated hackers, criminal organizations, hactivist groups and nation-states is going to rise. The OCC said in its presentation to bankers that cyber attacks overall, including on banks, increased 42% in 2012, ranging from malicious software or phishing attacks, to well-publicized denial-of-service attacks.
The threat became apparent late last year when Iranian hackers conducted a wave of cyber attacks targeting major U.S. banks. The attacks disrupted banks' websites, flooding them with high volumes of traffic in order to render them unavailable, and leading to warnings from U.S. officials to halt.
Karl Schimmeck, SIFMA's vice president of financial-services operations, said the industry needs to gird itself for the reality of cyber incursions.
"We're a big target.... People don't go out and physically rob banks anymore. This is the best way to get access to what banks have" including money and critical information, Mr. Schimmeck said.