For banks in cyber heist, how to get their money back?
By Joseph Ax
NEW YORK (Reuters) - Because the sums were large and such attacks are relatively new, the two Middle East banks hit in a $45 million ATM heist face an uncertain path in trying to recover their losses, financial, insurance and legal experts say.
Oman-based Bank of Muscat lost $40 million and United Arab Emirates-based National Bank of Ras Al Khaimah PSC (RAKBANK) lost $5 million in the global heist, U.S. prosecutors said on Thursday.
Computer hackers broke into third-party companies that processed transactions for prepaid debit cards issued by the banks, the prosecutors said. Then, gangs in 27 countries withdrew the money from cash machines in two coordinated hits, one on December 21 last year and the other on February 19 this year.
While details of what happened are still sketchy, experts said the banks could bring claims against the processing companies in court, or they could file claims with their insurers and those of the processing companies.
"There's no hard and fast rule," said Dan Karson, the Americas chairman of Kroll Advisory Solutions. "We're in very much a new cybersphere of finance, and allocating liability is still very much evolving."
Any claims by banks against the processing companies would depend on the contracts between the two parties, Karson and other experts said. Those contracts include industry security standards, which are required by the major credit card payment networks, in this case MasterCard.
In most security breach cases, the processing company in question did not fully comply with the standards, said Doug Johnson, vice president for risk management policy at the American Bankers Association.
However, even if the processor failed to comply with security standards, banks may still be unable to get back their money. That is because the contracts between processors and banks, under terms set by credit card companies like MasterCard or Visa, typically limit the processor's liability. Continued...