By Kim Dincel.
Imagine telling your directors at a hastily called, special emergency session of your board that your organization has been an unwitting victim of Corporate Account Takeover (CAT), and that all the money in the organization’s bank account was stolen by Ukrainian cyber thieves.
After your chair reassures the board that a recent audit confirms that there’s been no employee embezzlement, playing the stock market with organization funds, or other inappropriate expenditure of funds by staff or board members, a member of your board asks what’s a CAT and why should we be worried, won’t the bank cover the obvious fraudulent activity?
After the initial shock of the loss, informing the board that the money in the bank – perhaps all the money in your operating account — is gone, and your bank (yes, the bank you’ve had a 25 year relationship with) is telling you they will not reimburse or replace the funds because they don’t have to, and are not liable. Employees and operating expenses can’t be paid and the organization’s solvency and future once taken for granted, is now in question. Not a pretty picture.
Think it can’t happen to your organization. Think again.
I read with great interest the California Special District Association’s article in PUBLICCEO about protecting special districts from online fraud. The article is good but fails to mention one of the financial communities best kept secrets: business bank accounts do not have the same protection as personal accounts in terms of getting your money back if stolen from your bank account by cyber criminals.
In other words small businesses, municipalities, special districts, and non-profits do not enjoy the same FDIC protections as individual banking customers. Business customers usually only learn that fact after it’s too late to do anything about it.
Individual consumer banking accounts are protected under Federal Reserve Regulation E which requires banks to provide reimbursement for certain fraud losses. Regulation E does not apply to business accounts. Business and commercial bank accounts are controlled by the Uniform Commercial Code (UCC) which has been adopted almost word for word by most states. In California it is the California Commercial Code (CCC).
Under the UCC, business account holders have far less protection and much higher liabilities for fraud than consumers do for the exact same conduct. Financial institutions are willing to accept these tradeoffs as individual consumers do not normally maintain the kind of cash deposits that businesses do in their accounts. Additionally, individuals are normally very aware of any unauthorized activity associated with their personal accounts so the risk to a bank is substantially smaller.
It’s an area of the law that is desperately in need of reform. One of my clients – TRC Operating Company — just fought this battle with its former bank – United Security Bank of Fresno — and was successful in recovering money only because of their persistence and financial resources. Many municipalities, non-profits, and small businesses are financially devastated after a CAT forcing some of the victims to file for bankruptcy.
Recent examples include:
- The Western Beaver public school district in Pennsylvania was the victim of a cyber-attack and hit for more than $700,000 from the school’s account at ESB. The funds were apparently transferred in 74 separate transactions over a two-day period.
- Efficient Services Escrow Group located in Southern California was hit with 3 fraudulent wire transfers totaling $1,558,439 from the company’s account at First Foundation Bank. They were able to recover $432,215 but were still forced into bankruptcy.
- Unique Industrial Product Co., a Sugar Land, Texas-based plumbing equipment supply company was the victim of another cyber theft in which $1.2 million was stolen in 43 transfers out of the company’s account in less than 30 minutes.
- Village View Escrow in Redondo Beach was the victim of a Cyber theft totaling 465,000.00. The funds were apparently transferred in 26 separate wire transactions over a two-day period.
- JM Test Systems, an electronics calibration company in Baton Rouge lost approximately $97,000 in two unauthorized wire transfers to Russia. They were only able recover $7,200.
What is Corporate Account Takeover?
According to the CBO, Corporate Account Takeover is an evolving electronic crime typically involving the exploitation of businesses of all sizes, especially those with limited to no computer safeguards and minimal or no disbursement controls for use with their institution’s online business banking system. These businesses, non-profits and government agencies are vulnerable to theft when cyber thieves gain access to its computer system to steal confidential information in order to impersonate the business and send unauthorized wire and ACH transactions to accounts controlled by the thieves.
Municipalities, school districts, large non-profit organizations, corporate businesses, and any customers that perform electronic transfers are potential targets. Losses from this form of cyber-crime range from the tens of thousands to the millions with the majority of these thefts not fully recovered. These thefts have affected both large and small institutions.
This type of cyber-crime is a technologically advanced form of electronic theft. Malicious software, which is available over the Internet, automates many elements of the crime including circumventing one time passwords, authentication tokens, and other forms of multi-factor authentication. Customer awareness of online threats and education about common account takeover methods are helpful measures to protect against these threats. However, due to the dependence of institutions on sound computer and disbursement controls of its customers, there is no single measure to stop these thefts entirely. Multiple controls or a “layered security” approach is required.
What does the CBO Recommend?
In cooperation with other State and Federal regulators, CBO has posted to its web site Best Practices – Reducing the Risk of Corporate Account Takeovers (Best Practices) and other supporting documents. The Best Practices list nineteen processes and controls within a three-part risk management framework of Protect, Detect, and Respond. Management and the board of directors should consider each of these nineteen components in a risk management program to mitigate the risk of Corporate Account Takeover. The processes and controls are broad enough to accommodate the unique needs of every institution and its customers utilizing online banking services. The Best Practices are not an all-inclusive list and are provided as guidance to assist in implementing the recommended processes and controls to reduce the risk of Corporate Account Takeover theft.
Find more Resources and Online Tools at www.dfi.ca.gov/resources.
Kim Dincel is a principal of the Dincel Law Group. His practice focuses on litigation in cyber security breach litigation, among other specialties. He can be reached at (408) 792-5915 or www.dincellaw.com.