A key debate among supporters and opponents of the Dodd-Frank financial reform law concerns whether it ends the practice of bailouts for financial institutions. Supporters claim that bailouts are forbidden by Dodd-Frank, and that an orderly liquidation of a failing firm will wipe out its bondholders, board members and top managers, instead of having taxpayers prop them up. Detractors from the left and right argue that bailouts will happen anyway when push comes to shove, that the liquidation process won’t work with a globally integrated bank, or that the failing firm’s creditors would get repaid amid the process, making the liquidation a back-door bailout of the rest of the financial system.
This debate will rage on, probably until the moment liquidation authority needs to be used. But there’s another way banks can get bailed out by taxpayers, one that this past week’s widely reported cyberattack on JPMorgan Chase could have triggered.
According to Bloomberg News, the Treasury Department has informed the nation’s major banks that they would trigger an obscure law to pay back any bank that suffers major losses from a hacking assault on their computer networks. They would accomplish this with taxpayer money, though you could certainly argue that the bank’s information security defenses, not taxpayers, would ultimately be responsible for any hacking success.
The law in question is called the Terrorism Risk Insurance Act (TRIA). I reported on the law, which expires at the end of 2014 and awaits an extension, earlier this year. Currently, more than 60 percent of all American businesses purchase private terrorism insurance, a product that didn’t exist until after the Sept. 11 attacks. The government actually backstops this private insurance, kicking in after the private sector takes around $27.5 billion in losses. TRIA was meant to be temporary; in theory, once the insurance industry put the threat of terrorist attack into their risk models, the government backstop would expire. But because of the political salience of terrorism, the program has repeatedly been extended over the past 12 years. To date, TRIA has never been used, and private insurance companies, who do not pay the government for the backstop, have made roughly $40 billion on terrorism risk insurance.
TRIA only kicks in if the Treasury secretary labels an event an act of terrorism. The law does not explicitly mention cyberattacks as eligible for relief, but it gives the Treasury secretary quite a bit of discretion to label terrorist events. So it appears likely that a hacking attack could fall under the auspices of the law, especially when you consider the typical closeness of Treasury secretaries to the financial industry. Banks do have insurance policies to guard them against losses from cyberattacks; some insurance companies have warned that they would stop selling those policies unless the government backstops them.
Bloomberg also reports that funds earmarked for natural disasters could be employed to pay banks in the wake of a cyberattack. So there are a number of potential ways that taxpayer money could flow to Wall Street under this scenario.
For the most part, this makes sense. Since banks remain heavily connected to one another, an attack disabling the network of one bank could cascade through to others. Millions of transactions we take for granted every day could stall, affecting ordinary depositors and businesses. Government would be justified to step in.
However, the recent alleged attack on JPMorgan Chase offers an example of the potential pitfalls here. We initially learned that the FBI opened an investigation into a data breach at JPMorgan, involving “gigabytes” of sensitive data, which unnamed officials claimed came from Russian hackers. But as Marcy Wheeler points out, the FBI officially gave no comment. JPMorgan apparently leaked the cyberattack to the press; the FBI’s investigation came out of the media reports. By the end of the week, credible sources doubted Russian involvement and perhaps the entire attack itself.
Wheeler further showed that House Intelligence Committee chairman Mike Rogers was likely a source for the series of reports, and that the leak of Russian involvement served a political purpose amid their growing tensions in Ukraine. What’s more, the news of the attack came just days before Bloomberg also revealed that banks would have to get bailouts for any cyberattacks.
If I didn’t know better, I’d say this alleged JPMorgan breach was something of a dry run. We still don’t know what these hackers purportedly took, whether they affected any banking operations and what, if anything, the FBI has found in its investigation. All the sources are anonymous, and the attack wholly unconfirmed. Yet it served as a realistic, scary example of how a cyberwar could overrun the financial system. The vague connection to Russian hackers offered some nice color.
I won’t stray too far into tin-foil hat territory in suggesting that some imminent, unrelated failure in the financial system could easily be papered over by a sudden announcement of a bailout-inducing “cyberattack.” But consider this: Back in July, Wall Street’s biggest trade group, the Securities Industry and Financial Markets Association (SIFMA), proposed a “cyber war council,” made up of government and Wall Street leaders, to fight debilitating attacks to financial computer networks. Keith Alexander, the former head of the National Security Agency, has been retained (for at least $600,000 a month) to facilitate the council.
So we already know about Wall Street’s intentions to get government to shield them from any consequences of network intrusions, and to involve themselves in what amount to war-making decisions. That they would use the media to increase the pressure should not come as a surprise. It makes you wonder what would really qualify as a “terror attack,” freeing up government funds for Wall Street.
The problem is that there’s almost no transparency to the shadowy world of cybercrime and information wars, and implicitly guaranteeing a Wall Street bailout from any repercussions just adds to the secrecy. We don’t know who made these promises, what’s really happening inside cybersecurity networks, what would constitute a “cyberterror” attack and who’s profiting from it all. And combining this black box with the possibility of unlimited taxpayer support creates a potentially lethal cocktail.
TRIA has not yet passed Congress, amid skepticism from some corners of the right about crony capitalism and handouts for the insurance industry. At the least, lawmakers should get on the record how far the government’s responsibility would carry in the event of a cyberattack on the nation’s financial centers. It seems like something taxpayers might want to know.