Link Search Menu Expand Document
Cybersecurity Research
  1. IV. THE PRESENT IMPACT OF COVID-19 ON THE BANKING INDUSTRY
    1. A. How the Pandemic Changed the Landscape of Banking
    2. A. What Data Breaches Have Occurred During the COVID-19 Pandemic?

IV. THE PRESENT IMPACT OF COVID-19 ON THE BANKING INDUSTRY

A. How the Pandemic Changed the Landscape of Banking

“Before COVID-19, these types of digital applications were nice to have. Now it’s a necessity.”177 This statement made by Anne Chow, the chief executive officer of AT&T, reflects how digital applications have become a lifeline for every bank during the pandemic as social distancing protocols have interrupted regular operations.178 The Department of Homeland Security deemed the financial services sector a Critical Infrastructure Sector during the COVID-19 pandemic, which means financial services workers have a “special responsibility” to maintain their normal work schedules.179 However, banks have had to adopt new ways to continue their operations while ensuring their adherence to public health and safety guidelines.180

Adapting to a “new normal” has forced banks to restrict in-person consumer access.181 For instance, the FDIC has allowed its member

Act, which is aimed at ensuring consumers have control over their physiological and geographic data).

176. Id.

177. Anne Chow, COVID-19: An Economic Crisis as well as a Pandemic – Technology is Here to Help, AT&T: TECH. BLOG (Apr. 28, 2020), https://about.att.com/innovationblog/2020/04/covid_19_technology.html [https://perma.cc/42GH-FH3E] (emphasis added) (detailing how AT&T has assisted financial services organizations transition to a remote workforce and to a social distanced work environment during the pandemic).

178. See id. (“Everything that could move online, did move online. The economy, businesses and consumers depended on and needed this transformation to survive.”).

179. See Memorandum from Secretary Steven T. Mnuchin, Dep’t of the Treasury, Memorandum for Financial Services Sector (Mar. 22, 2020), https://www.aba.com/-/media/documents/incident-response/Financial-Services-Sector-Essential-CriticalInfrastructure-Workers.pdf [https://perma.cc/MJN4-RZC2] (explaining which workers are part of the Essential Critical Infrastructure Workforce in the financial services sector).

180. OFF. OF THE COMPTROLLER OF THE CURRENCY, OCC BULL. NO. 2020-23, PANDEMIC PLANNING: ESSENTIAL CRITICAL INFRASTRUCTURE WORKERS IN THE FINANCIAL SERVICES SECTOR (Mar. 25, 2020), https://www.occ.treas.gov/news-issuances/bulletins/2020/bulletin2020-23.html [https://perma.cc/V56J-H7UK] (clarifying which employees in the workforce are considered essential and providing advice on how companies can continue business operations during the pandemic).

181. See FED. DEPOSIT INS. CORP., FREQUENTLY ASKED QUESTIONS FOR FINANCIAL INSTITUTIONS AFFECTED BY THE CORONAVIRUS DISEASE 2019 (REFERRED TO AS COVID-19)

banks to limit consumer access to physical branch offices.182 Similarly, the OCC has recognized that, considering the pandemic, there may be temporary bank closures and limited access to in-person services.183 Needless to say, the financial services industry has had to increasingly rely on technology to continue operating their businesses remotely.184

The pandemic has also spawned unprecedented levels of telework.185 For example, 84% of Deutsche Bank’s investment banking division is currently working remotely.186 JPMorgan Chase is alternating its 60,950 employees between office and remote work for an indefinite period of time.187 As telework surges, the OCC recommends that remote bank employees be extra vigilant and use secure communications while working at home.188 The recommended measures include using virtual

(May 27, 2020), https://www.fdic.gov/coronavirus/faq-fi.pdf [https://perma.cc/WK34- 22HH] (stating that financial institutions can consider alternative methods to physical banking in order to continue providing services to customers).

182. See id. at 4 (“Financial institutions can consider alternative service options to provide access to financial services. Financial institutions may want to remind customers of the various ways they can access banking services without physically coming to a facility, such as managing their accounts online, performing transactions at an automated teller machine (ATM), using telephone banking, or accessing a mobile banking application.”).

183. See Coronavirus Disease 2019 (COVID-19) Frequently Asked Questions for National Banks and Federal Savings Associations, OFF. OF THE COMPTROLLER OF CURRENCY, https://www.occ.gov/topics/supervision-and-examination/bank-operations/covid-19-information/covid-19-faqs-for-national-banks-and-fsa.html#BankOperations [https://perma.cc/T9GD-ZKWB] (last updated June 15, 2020) [hereinafter Coronavirus Disease 2019].

184. See Mo Katibeh & Steve Canepa, AT&T and IBM: Helping Businesses Adapt to New Work Environments, AT&T: TECH. BLOG (Aug. 18, 2020), https://about.att.com/innovationblog/2020/08/att_ibm.html [https://perma.cc/6Q2Z-7ZDL] (detailing how digital technologies will be critical for various industries in the post-pandemic future).

185. See Katherine Guyot & Isabel V. Sawhill, Telecommuting Will Likely Continue Long after the Pandemic, BROOKINGS INST. (Apr. 6, 2020), https://www.brookings.edu/blog/upfront/2020/04/06/telecommuting-will-likely-continue-long-after-the-pandemic/ [https://perma.cc/4JTD-2PY3] (discussing how telework has skyrocketed because of the pandemic, a trend that will likely become permanent post-pandemic).

186. See Retail Banking in the Age of COVID-19, DELOITTE 12 (May 2020), https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Financial-Services/gxfsi-retail-banking-in-the-age-of-covid-19.pdf [https://perma.cc/3SYD-RK2G] (analyzing how COVID-19 will affect the banking industry).

187. See Hugh Son, JPMorgan Will Have Staff Cycle Between Office and Remote Work in a Move That May Remake Wall Street, CNBC, https://www.cnbc.com/2020/08/25/jpmorganwill-have-staff-cycle-between-office-and-remote-work-in-a-move-that-may-remake-wallstreet.html [https://perma.cc/F92D-E565] (last updated Aug. 25, 2020, 1:45 PM) (discussing JPMorgan’s plan to alternate its workforce between in-person and remote work).

188. See Coronavirus Disease 2019, supra note 183 (“Banks should remind employees that cyber criminals are very active during these times of stress. Remind employees of good

private networks (“VPNs”), appropriately storing sensitive information, not opening emails from unknown sources, and conducting phone conversations with customers in a safe environment.189

While the pandemic has presented an opportunity for increased telework, it has also presented a crisis through the increased number of cyberthreats.189 Therefore, cybersecurity is more important than ever 190 In addition, history shows that there is a correlation between increased cybercrime and economic turmoil.192 Indeed, cybercrime reportedly increased 33% during the 2008 financial crisis.193 Just in the first quarter of 2020, the number of data breaches is up 273% compared to last year.194 Undoubtedly, hackers are capitalizing on the upheaval and fear caused by the virus.195

A. What Data Breaches Have Occurred During the COVID-19 Pandemic?

Cybercriminals have wasted no time in capitalizing on the government’s efforts to blunt the economic distress.196 In an effort to

cybersecurity practices such as not opening email or documents from unknown sources or clicking on unknown links. Be extra vigilant by using call-backs or verbal confirmation with bank staff and customers”) (emphasis added).

189. *See id. *(“Employees working from home should use secure communications, such as a virtual private network (VPN), when working with sensitive information. Employees should appropriately store and safeguard sensitive information while working at home. Telephone conversations dealing with sensitive customer or employee information should be guarded in a home environment. Bank management should provide consistent and clear guidance on how to handle sensitive customer, bank, and employee information to all employees working at homes.”).

190. See Remote Work in 2021: Cybersecurity Grows in Importance, DICE (Nov. 13, 2020), https://insights.dice.com/2020/11/13/remote-work-in-2021-cybersecurity-grows-inimportance/ [https://perma.cc/ZY5R-NX8P] (discussing how significant populations of employees will remain working remotely in 2021, and COVID-19 has brought about a plethora of cybersecurity issues in the work-from-home-environment).

191. See RISK BASED SEC., INC., supra note 21 (examining how the conditions are perfect in a pandemic for increased cybercrime).

192. *See id. *(reporting that Internet fraud increased during the 2008 recession).

193. See id. (examining various news sources reporting on the surge of cybercrime during the 2008 recession).

194sup>.* See* Sheng, supra note 1 (discussing how cybercriminals capitalize on uncertainty and confusion during times of upheaval, with the number of breaches up 273% in the first quarter of 2020 compared to 2019 as companies shifted to online business).

195. See id. (scrutinizing the ways in which cybercriminals have taken advantage of the COVID-19 pandemic by hacking the government and businesses).

196. See Nathaniel Popper, ‘Pure Hell for Victims’ as Stimulus Programs Draw a Flood of Scammers, N.Y. TIMES, https://www.nytimes.com/2020/04/22/technology/stimulus-

mitigate the economic fallout resulting from COVID-19, the government has issued trillions of dollars in relief funds through their COVID-19 response bill legislation (the “CARES Act”).197 The most visible relief has been in the form of Economic Impact Payments (“EIP”), also known as stimulus checks.198 Eligible taxpayers—individuals whose income was below $99,000—received a one-time EIP payment of $1,200.199 Joint households whose income was below $198,000 received a one-time EIP payment of $2,400.200 Unfortunately, the availability of stimulus funds “ring[s] the dinner bell for hackers.”1201 Cybercriminals have assumed false identities and set up malicious websites to steal these stimulus funds.202 Indeed, despite the global health crisis, cybercrime is speeding up.203 Total traffic at the Identity Theft Resource Center, a nonprofit organization that helps data breach victims, was up 850% in March compared to 2019.204 The FTC reported increased cases of identity fraud since the pandemic started.205 Federal agencies like the Federal Bureau of Investigation have even issued warnings of cybercriminals attempting to capitalize on the pandemic.206 *** checks-hackers-coronavirus.html [https://perma.cc/ZFL4-8B7Q] (last updated Sept. 15, 2020) (examining how cybercriminals have been targeting recipients of stimulus payments to help blunt the economic fallout of COVID-19).

197. Id.; see also Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”), Pub. L. No. 116-136, 134 Stat. 281 (2020).

198. See Popper, supra note 196 (discussing how cybercriminals are targeting stimulus check recipients); see also 26 U.S.C. § 6428 (providing COVID-19 relief through payments of $1,200 for eligible individuals or $2,400 for eligible individuals filing a joint return, in addition to $500 per child under the age of 17).

199. See 26 U.S.C. § 6428; U.S. Dep’t of the Treas.,* The CARES Act Provides Assistance to Workers and Their Families,* POLICY ISSUES: CARES ACT-ASSISTANCE FOR WORKERS AND FAMILIES https://home.treasury.gov/policy-issues/cares/assistance-for-american-workersand-families [https://perma.cc/S6SH-GX4S] (providing details on who is eligible for Economic Impact Payments and the amount eligible taxpayers can expect to receive); see also Jessica Dickler & Lorie Konish, Will Americans Get Another Round of Stimulus Payments? Your Top Questions Answered. CNBC, https://www.cnbc.com/2020/06/22/will-americansget-more-stimulus-payments-your-top-questions-answered.html [https://perma.cc/F9SA2YXG] (last updated June 22, 2020, 4:49 PM) (discussing the number of Americans who have received stimulus payments, and who is eligible for a stimulus payment).

200. Id.

201. Popper, supra note 196.

202. See id. (reporting an uptick in cybercrime during the pandemic).

203. Id.

204. *Id. *

205. *Id. *

206. FED.BUREAU OF INVESTIGATION, PUB. SERV. ANNOUNCEMENT I-042020-PSA, ONLINE EXTORTION SCAMS INCREASING DURING THE COVID-19 CRISIS (Apr. 20, 2020); see also Ken

While individuals and families have suffered from cybercrime during the pandemic, federal agencies have also been hurt.207 On March 25, 2020, the Small Business Administration discovered a data breach that compromised the information of 7,913 businesses applying for the Economic Injury Disaster Loan (“EIDL”) program.208 The EDIL program offers each applicant up to $2 million in loans.209 It was the only source of emergency funding for many businesses before Congress enacted the $2 trillion CARES Act to provide COVID relief.210

Bank of America suffered from a data breach on April 22, 2020, impacting customers who applied for the Paycheck Protection Program;211 another program created by the CARES Act to encourage businesses to keep employees on its payroll.212 Saying that only a “small number” of customers were affected, Bank of America has not disclosed the specific number of breached applications.213 In response to the breach, Bank of America (1) ordered an investigation, (2) advised clients to review their account statements carefully and report suspicious activity, and (3) offered clients free two-year membership of Experian’s identity theft program.214

Dilanian et al., FBI, Other Agencies Warn of ‘Imminent Cybercrime Threat’ to U.S. Hospitals, NBC NEWS, (Oct. 28, 2020, 11:32 PM), https://www.nbcnews.com/news/us-news/fbi-otheragencies-warn-imminent-cybercrime-threat-u-s-hospitals-n1245212 [https://perma.cc/ZXS5- WUV5] (discussing how federal agencies like the Federal Bureau of Investigations are warning of “an increased and imminent cybercrime threat”).

207. Patrick McKnight, SBA Loan Program Suffers Data Breach, AMERICAN BAR ASS’N (May 6, 2020), https://www.americanbar.org/groups/business_law/publications/committee_newsletters/cyb erspace/2020/202005/fa_1/ [https://perma.cc/R4TN-U3WC] (detailing a data breach suffered by Economic Injury Disaster Loan program through the United States Small Business Administration, which involved 7,913 businesses applying for emergency funding as a result of COVID-19).

208. *Id. *

209. Id.

210. Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”) Pub. L. No. 116-136, 134 Stat. 281 (2020); McKnight, supra note 207.

211. Dev Kundaliya, Bank of America Suffers Data Breach in Paycheck Protection Program, COMPUTING (May 28, 2020), https://www.computing.co.uk/news/4015730/bankamerica-suffers-breach-paycheck-protection-program-application-process [https://perma.cc/4MJY-3X8D].

212. See Paycheck Protection Program, SMALL BUS. ADMIN., https://www.sba.gov/funding-programs/loans/coronavirus-relief-options/paycheckprotection-program [https://perma.cc/KQ3U-NQ42] (last visited Nov. 2, 2020) (discussing details and eligibility criteria of the Paycheck Protection Program).

213. Kundaliya, supra note 211.

214. Id.

Table of Contents

Table of contents