By Jim Finkle and Jonathan Spicer
BOSTON/NEW YORK (Reuters) – U.S. regulators on Tuesday told banks to review cyber-security protections against fraudulent money transfers in the wake of revelations that a hacking group used such messages to steal $81 million from the Bangladesh central bank.
The notice from the Fed and other financial regulators came two weeks after the U.S. Federal Bureau of Investigation privately urged banks to look for signs of possible cyber attacks. That report asked them to hunt for technical clues that they have been targeted by the same group, according to a notification seen on Tuesday by Reuters.
The warnings suggest that U.S. government and law enforcement agencies are concerned that recent attacks on banks in emerging-market economies could lead to losses for big U.S. firms that rely on the so-called SWIFT fund-transfer network, which serves as the backbone of international finance.
Concerns about cyber threats to banks have grown since Bangladesh Bank disclosed its heist in March. Similar cases later came to light including an earlier $12 million theft from Banco del Austro in Ecuador, an attack on Vietnam’s Tien Phong Bank and one on an unidentified victim in the Philippines.
Dan Guido, a former member of the security team for the U.S. Federal Reserve System, said he expects the hacker group will launch more attacks.
“There is a hacker group out there that is polished and practiced. They know when they target a bank, they get in and get out and the attack will work,” said Guido, chief executive of cyber-security firm Trail of Bits.
The Federal Financial Institutions Examination Council, or FFIEC, said that banks should review risk-management practices and controls over payment systems networks, including authentication, authorization, fraud detection and response management.
The group did not issue new cyber security rules, but highlighted existing guidelines. It warned banks that they could suffer financial losses from cyber attacks involving wire fraud and also be scrutinized by regulators to determine whether they are complying with security regulations.
The FFIEC’s members include the U.S. central bank, the Federal Deposit Insurance Corporation and the Comptroller of the Currency.
The FBI’s warning, which provided technical information about the recent attacks, said a “malicious cyber group” had compromised the networks of multiple foreign banks.
“The actors have exploited vulnerabilities in the internal environments of the banks and initiated unauthorized monetary transfers over an international payment messaging system,” the bureau said in a May 23 alert. The report, which did not identify specific victims, asks recipients to call the FBI if they find any of the technical indicators mentioned in the bulletin or have other “related information.”
An FBI spokeswoman declined to elaborate on the notification.
Bank security experts said that the FFIEC’s letter would have little impact because it was simply repeating previous recommendations.
“It’s the duty of regulators to issue these kinds of statements,” said Bill Nelson, chief executive of the Washington-based Financial Services Information Sharing and Analysis Center, or FS-ISAC, which shares information on emerging cyber threats with some 7,000 members.
Shane Shook, an independent financial security consultant, said he would like to see the U.S. government require stricter controls over employees’ use of bank messaging services.
(Editing by Dan Grebler and Matthew Lewis)