‘No plans’ to force banks to reveal if they’ve been hacked
THECentralBankhasnoplans to force banks to inform customers when their systems are hacked.
It comes as UK banks are now disclosing major security and operations incidents on foot of demands from regulators.
But banks here are reluctant to own up to security breaches, for fear of damaging confidence in electronic banking.
Irish banks have suffered numerous outages, with the problems invariably blamed on IT systems breaking down.
But cyber security experts suspect that hacking is often the reason for the systems going down, something banks will not admit is the problem.
In May both Ulster Bank and EBS experienced what they said were technical issues which prevented customers using online banking services.
Ulster Bank blamed a mistake by a staff member after a problem led to the disap- pearance of money from the accounts of its customers.
Other banks have had regular interruptions to services, often blaming human error or a problem with a system.
However, cyber security expert Brian Honan said banks and other business were regularly suffering cyber-attacks.
“There are cyber-attacks going on all the time, not just in banks, but in many sectors.
‘We are seeing them repeatedly, but in many cases they are not being publicised.”
Mr Honan, of BH Consulting, said the banks fear reputation damage if they own up to a cyber-attack.
“It is not a case of if a bank will be hacked, it is a case of when,” he said.
Mr Honan said there have been major online security breaches in the past, but little information about these was being revealed.
He said it would make sense to force banks to report cyberattacks as this would allow the gardaí and regulators to assess the scale of the problem and respond appropriately. He said quoted companies in the US are required to disclose attacks.
A spokesperson for the Central Bank said it had no specific plans to force banks to disclose IT outages on their websites.
The spokesperson added that the regulator had been clear with the banks on its expectations around communications to customers when IT outages occur.
“This includes providing customers with details on the services impacted, a time-frame for resolution with updates as required and an undertaking to refund any monetary loss.”
Banks are obliged to submit major incident reports to the Central Bank within four hours of detection.
In the UK regulators are now forcing lenders to publicise disruptions from cyber-attacks and other causes. The public reports are part of efforts by the Financial Conduct Authority to shine a light on banks’ ability to cope with a wave of hacks.