President of the Atlanta Fed, Dennis Lockhart:
...A real financial stabiliy concern ... is the potential for malicious disruptions to the payments system in the form of broadly targeted cyberattacks. Just in the last few months, the United States has experienced an escalating incidence of distributed denial of service attacks aimed at our largest banks. The attacks came simultaneously or in rapid succession. They appear to have been executed by sophisticated, well-organized hacking groups who flood bank web servers with junk data, allowing the hackers to target certain web applications and disrupt online services. Nearly all the perpetrators are external to the targeted organizations, and they appear to be operating from all over the globe. Their motives are not always clear. Some are in it for money, while others are in it for what you might call ideological or political reasons.
Unlike other cybercrime activity, which aims to steal customer data for the purpose of unauthorized transactions, distributed denial of service attacks do not necessarily result in stolen data. Rather, the intent appears to be to disable essential systems of financial institutions and cause them financial loss and reputational damage. The intent may be mischief on a grand scale, but also retaliation for matters not directly associated with the financial sector.
Banks have been defending themselves against cyberattacks for a while, but the recent attacks involved unprecedented volumes of traffic—up to 20 times more than in previous attacks. Banks and other participants in the payments system will need to reevaluate defense strategies. The increasing incidence and heightened magnitude of attacks suggests to me the need to update our thinking. What was previously classified as an unlikely but very damaging event affecting one or a few institutions should now probably be thought of as a persistent threat with potential systemic implications.
I'm drawing your attention to this area of risk... But I feel the need to be measured about the potential for severe financial instability from this source. In my judgment, cyberattacks on payments systems are not likely to have as deep or long lasting an impact on financial system stability as fiscal crises or bank runs, for example. Nonetheless, there is real justification for a call to action. ...
Even broad adoption of preventive measures may not thwart all attacks. Collaborative efforts should be oriented to building industry resilience. Resilience measures would be similar to those put in place in the banking industry to maintain operations in a natural disaster—multiple backup sites and redundant computer systems, for example.