Fed's Raskin: Cyberattacks Put Bank Reputations at Risk

WASHINGTON — The growing number of cyberattacks against banks is raising serious reputation concerns for financial institutions, Federal Reserve Board Gov. Sarah Bloom Raskin said Thursday.

"Even beyond the potential theft of data and disruption of service, cyberattacks can represent significant reputational risk because they have the potential to create dissatisfaction among many customers, or even more chilling, total loss of consumer confidence," said Raskin in a speech at a banking conference at the Federal Reserve Bank of Atlanta.

Cyberattacks on banks have been occurring on a more frequent basis. For example, in September, Web sites of several large U.S. banks were inaccessible for several hours due to attacks from foreign state-sponsored hackers.

Such threats, she said, will only rise as more bank customers depend on electronic and mobile banking services.

"One of the greatest threats facing not just banks but many businesses and government agencies is hackingand the possible theft of proprietary data and personal information about customers," said Raskin.

Raskin said there is already work underway between the government and financial institutions to protect from cyberattacks.

But she warned that such episodes can elevate negative perceptions already held by many customers who mistrust financial institutions because of their role in the financial crisis.

"Financial institutions of all sizes have shared in the fall-outfairly or unfairlyfrom a general decline in their industry's reputation among the public," said Raskin.

Indeed, the public continues to be angry about the bank bailout in 2008. But Raskin said supervisors and institutions can do more to improve efforts to consider potential risks to a bank's reputation.

"The current approach to managing reputational risk is largely reactive rather than proactive," said Raskin. "Banks and examiners tend to focus their energies on handling the threats to their reputations that have already surfaced."

Using such an approach is "not risk management," rather it is "crisis managementa reactive approach aimed at limiting the damage."

Regulators should work with financial institutions to obtain information and develop ways to measure the value of risks, she said.

"When we contemplate a supervisory approach that illuminates reputational risk, we might be able to more fully uncover the interconnection of risks that certain activities could impose on investors, creditors, counterparties, and taxpayers," said Raskin.

Supervision, she said, can unveil hidden loss exposures that may be building up through the accumulation of reputational risk elements. If regulators can identify and watch such free floating risk, and push a bank's board of directors and senior management to pay more attention to reputational risk, it could help reduce the underpricing of these risks.

Financial institutions should be encouraged to review the potential riskiness of certain operations, investments, products and decisions that could impact their reputations, which ultimately affect the value of their enterprise, she said. While bank managers should be incentivized by supervisors to consider, quantify and control factors that would elevate such risks before they emerge.

"Supervisors have a duty to see that all risks are fully understood, even those risks that, like reputational risk, are unquantifiable or have not fully emerged," said Raskin. "I believe this is an area where supervision can add value."

For reprint and licensing requests for this article, click here.
Law and regulation Bank technology
MORE FROM AMERICAN BANKER