Flagstar Bank, the seventh largest bank mortgage lender in the US, announced in June, 2022, that it had been hacked in December, 2021, and personal data on 1.5 million customers exfiltrated. According to news reports, Flagstar hasn’t explained the six-month time lapse from the attack to the announcement. Earlier in 2021, Flagstar was among the many companies breached through the hack of the Accellion file transfer appliance.
Flagstar said it has no evidence that any of the information obtained in the latest breach has been misused – nonetheless, at least two customer lawsuits are in the courts, one filed by a plaintiff who claims that his identity was falsely used to take out a loan after the breach. The bank is offering two years of credit monitoring to clients.
Estimate of Probable Costs for Flagstar Bank from a System Intrusion Attack
Flagstar hasn’t made public the details of the attack, but let’s assume for analysis that the bank was hit with a system intrusion attack, in other words, code exploitation, brute force password guessing or other tactics that gave cyber criminals a foothold on the network. Using the RiskLens My Cyber Risk Benchmark tool, we can estimate the effect of a system intrusion attack on a financial organization of Flagstar’s size:
- $310.3 million for Primary Response Costs
- $22.7 million for Lost Revenue
- $585,000 for Fines & Judgments
- $333.6 million Total
Financial Industry Cyber Incidents Count
The authoritative 2022 Verizon DBIR reports that finance was hit with 2,527 cyber incidents in 2021, including 690 data breaches. That placed this industry at number five for total incidents, but number one for data breaches, out of 21 surveyed.
Most Probable Cyber Risks by Incident Frequency and Loss for Banking, Insurance, and other Financial Institutions
The RiskLens data science team estimates risk for companies in an industry category based on the cyber events history plus a wide range of parameters such as revenue, number of employees and number of database records.
In RiskLens modeling, system intrusion for a financial institution of Flagstar’s size and type comes in as a relatively low risk at a four percent chance of occurring in a year with an expected cost of about $330 million. As shown in the chart below, insiders are the most likely source of cyber events in finance – banks and other financials have been relatively successful in reducing frequency of external successful attacks. As the IBM Security X-Force Threat Intelligence Index 2022 commented:
“High security standards in place at most financial organizations are yielding concrete results and the financial services industry is doing security right. In addition, hybrid cloud environments are dominant at financial services organizations, allowing for better visibility into and management of sensitive data.”
Finance also comes out relatively well for system intrusion compared to organizations of comparable size in other industries, at number five for incident probability and number six for incident cost out of nine industries.
Database Size and Security Posture Make a Difference
Adjusting the parameters on the My Cyber Risk Benchmark tool gives clues on how to reduce cyber loss exposure.
For instance, reducing the number of records in a database, but leaving the other settings the same for a financial company shows dramatic improvement for a system intrusion event
- 10M – 100M Records = $330M Loss
- 10K-100K Records = $132M Loss
To rate security posture, the Benchmark tool incorporates grading by Security Scorecard. Here’s how the annual probabilities of a system intrusion attack go up for a bank or insurance company as security grades go down, suggesting the value of controls investments, such as improved access management.
- A = 2.5%
- B = 4.0% (Flagstar’s Security Scorecard grade)
- C = 5.1%
- D = 6.8%
- F = 8.3%