ST. LOUIS Lucky Bank's problems started harmlessly. An employee opened a Word document emailed by a purported job applicant.
Before long, private messages were revealed, customers at Lucky and competing banks lost money, and Visa cut off access. There was unwanted attention from federal officials, plaintiff lawyers and even state attorneys general. An aggressive reporter desperate for a story hounded the bank for answers. But what were those answers? The bank hadn't prepared for this nightmare becoming real.
This crisis was not real and neither is the bank. But the made-up simulation, designed by the American Bankers Association and performed by real-life professionals at recent ABA conferences, is intended to help institutions think through how they would deal with scenarios that are increasingly plausible.
"How could you have made up" the Sony Pictures attack? asked Doug Johnson, senior vice president and chief advisor at the ABA, opening the panel simulation at the trade group's recent risk management forum here.
Indeed, Lucky Bank's breach had similarities with the real-life cyberattack of the movie studio allegedly by North Korea. The suspected perpetrator in the simulation was an Iranian paramilitary group, perhaps with government ties. The $10 billion-asset bank was targeted because of its location near a U.S. base, from where overseas drone strikes are launched.
In the ABA's scenario, the breach, connected to one email sent to human resources, infected multiple systems. Initially, customers reported unauthorized withdrawals from locations in North America and overseas. Then, it became clear hackers had compromised the bank's email system; private messages including between loan officers disparaging the credit record of the base commander were publicized.
Customers complained when, after Visa suspended the bank's debit cards, they could not access their accounts. But the hack took on a more systemic nature when other banks complained of customers losing funds after they had used Lucky Bank's ATMs.
Johnson said the potential for a hacker's entry into one data location to affect other areas of the bank should force institutions to think about whether linking up systems is a good idea.
"What Sony showed us is there may be any number of different ways an institution is being attacked at the same time simultaneously by the same perpetrator," he said. "Segregation of systems and understanding where systems are intertwined where they shouldn't necessarily be intertwined is important."
In the simulation, during which panelists portrayed the bank's executives but also shared real-life wisdom, the level of information the bank divulged publicly was a constant issue. A local reporter played by a real-life crisis communications advisor was relentless in getting information without concern for the bank's reputation.
When the bank's chief executive played by Linley Abbott, operational risk manager at FirstMerit Bank in Akron, Ohio said he would rather comment later after the bank had determined more about the breach, the reporter dug in.
"There is no later time. We post [stories] on a regular basis. If you can give me something precautions you've taken, regulators you have to notify that would be great," the reporter, played by Merrie Spaeth, of Spaeth Communications in Dallas, said. "Otherwise I'll be posting my account now, with a few pictures of the outside of the bank and your sign, saying you wouldn't comment."
Panelists said that there is a tricky line to walk in developing a public message during the crisis to assuage concerns from customers but still not divulge information prematurely. Institutions would normally have prepared a somewhat generic statement beforehand to release to the public that "would instill a little bit of confidence that we're working on the issue," said LeAnne Staalenburg, senior vice president of Capital City Bank in Florida, who played Lucky Bank's chief information security officer.
"Our responsibility is first to our customers, not to our reputation," said Abbott.
Nathan Taylor, a partner at Morrison & Foerster, who played the bank's general counsel, said the institution should be "mindful of not overstating publicly our degree of confidence.
"We're walking this nasty balancing act where we want to maintain customer confidence but we also don't want to be making prospective statements or statements without reasonable basis," he said.
Spaeth warned that the bank in this situation risks worsening the situation by being too closed. At one point in the simulation, the reporter has tweeted about the bank and hundreds of messages about the breach are circulating through social media.
"Somebody needs to respond and say something," Spaeth said. "Maybe not a lot, but something. If you just leave them sitting out there, they're going to build on each other and are going to viral."
Banks in this situation should also not be blind to how the press can help them, she said. As reporting about crises these days is instantaneous, she noted, in addition to critics there would likely be customers expressing their faith in the bank to do right by them.
"They will become your proxy ambassadors," she said.
Eventually in the ABA's scenario, the bank brings in an outside forensics team to determine the extent of the breach. In addition to federal bank regulators, the institution has also been in touch with the Secret Service, Pentagon and FBI to help investigate the origins of the hack.
Fallout continues to spiral. Calls from executives at other banks about their customers reporting fund losses after using Lucky Bank ATMs indicates the hackers were able to install malware on teller machines. With more and more customers affected, a plaintiff law firm looks at pursuing a class action suit against Lucky, and the bank starts hearing from attorneys general in other states. After informing the chief executive about a call from the Connecticut state AG, Taylor said, ""They're going to be our friend for the next year as they investigate this."
The bank eventually decides to use coverage from an insurance policy for cyber-related problems to pay for two years of credit monitoring for customers at risk of identity theft.
But while the reporter continues to press the bank, it is also grappling with how to field increasing complaints from customers. Accountholders were worried not only about unauthorized withdrawals but also the inability of service members to access accounts while deployed overseas because of the denial of Visa service.
"My son is still trying to buy milk in Germany," said Sidney "Chip" Corbett, who played the base commander and in real life is first vice president of Hoyne Savings Bank in Chicago. Corbett at one point says he has heard he can submit complaints to the Consumer Financial Protection Bureau for potential publication on the bureau's website.
The panelists said having infrastructure to be able to expand the reach of customer service call centers is important.
"We're bringing in" temporary staff "to help. IT is working on setting up more lines to increase capacity. We've sent people to a backup recovery site where they have available phones and access to systems and screens," said Abbott.
"We're doing the routing necessary in order to try to deal with the influx of calls we've received from clients so the management in the organization can concentrate on trying to get to the bottom of the breach and the damage that's been done."