Recent arrests followed one of the more complex cyber attacks in history. $45 million was reportedly stolen in the blink of an eye but it may take years to comb through the unprecedented cyber-liability issues. Two major banks are now evaluating novel liability issues and presumably deciding whether to lodge a series of lawsuits with major implications on the landscape of cyber-liability.
This week the press reported that the Oman-based bank of Muscat and the United Arab Emirates-based National Bank of Ras Al Khaimah PSC (RAKBANK) were the targets of two coordinated cyber attacks, the first taking place sometime last December and the second this February. Reportedly, in a highly coordinated effort, hackers broke into third-party entities that processed transactions for prepaid debit cards issued by the banks. Next, gangs located in 27 countries withdrew funds from cash machines ultimately taking approximately $40 million from Muscat and $5 million from RAKBANK.
The victim banks are left picking up the pieces are looking for ways to recover their losses. One of the possible avenues of recovery is claims against those entities responsible for protecting the data such as the third-party processing companies. If those processing companies failed to comply with security standards, they could be liable to the bank. But this is not exactly an easy option. Many processing companies utilize limitation of liability clauses within their contacts.
Another route that may be available to the banks is to seek recovery by filing an insurance claim assuming they are protected by an applicable cyber insurance policy.
The recovery and liability issues are murky and will likely be played out through litigation. Given that this is a developing area of the law, it will be interesting to learn if the banks are able to recover and, if so, from what source. The cyber-liability community, and the greater professional liability community, will keep an eye on the fallout from this massive theft.