Should corporate treasuries be worried by the recent rashof cyber attacks that hackers sprung on leading U.S. financialinstitutions throughout September and October? According totreasury security experts, the answer is a qualified “yes.”

The distributed denial of service (DDOS) attacks on the Websites of Bank of America, BB&T, Capital One, JPMorgan Chase,SunTrust Banks, U.S. Bancorp and Wells Fargo “were more disruptivefor retail clients rather than corporate clients,” says PaulLaRock, a principal at consultancy Treasury Strategies.

U.S. Bancorp, the only bank willing to share its DDOSexperience, saw its online performance degrade on Sept. 26 ashackers flooded the bank's Web site with extraneous serverrequests.

“We were never completely down the day of the incident, but wedid have some slow performance at times,” says Tom Joyce, seniorvice president of corporate and public relations at U.S. Bancorp.“We assured retail clients, and to the extent any of our businessclients who were having issues, that all data and funds were secureand that this was a high-volume attack designed to inconveniencecustomers more than anything.”

Of all of the different types of cyber attacks, DDOS attacks arethe equivalent of a blunt club. They typically involve hackersusing a series of virus-infected computers, known as “bots,” tosend a large number of server or network requests to the targetedWeb site in hopes of overwhelming it and preventing other systemsfrom accessing it.

These attacks usually last only a few hours since targetedorganizations can use readily accessible tools to identifysuspicious message traffic and route it away, LaRock explains. Mostcorporate treasuries should be able to survive a connectivitydisruption with their bank lasting that long, he adds.

However, if the DDOS attacks on banks begin to mirror thelengthy attacks experienced by the Estonian government, banks andmedia outlets in April 2007, the industry should worry.

“Those DDOS attacks involved a complex strategy that used spam,phishing and viruses, and lasted several days,” LaRock says. “Thesecurrent attacks so far don't appear to be on the scale orcapabilities of an intelligence agency of an industrialized nation.Looking at the resources involved, I think these are being done byan informal group of people.”

Treasuries should take the DDOS attacks on banks as a cue toupdate their disaster recovery plans to include a scenario in whichthey are unable to connect to their banks over the Internet, LaRockurges. “But most firms don't have plans in place.”

LaRock suggests both a hi-tech and low-techapproach allowing treasuries to avoid connectivity outages as aresult of DDOS attacks. Companies could transact business withtheir banks over a secure private network like the one run by bankmessaging cooperative Swift. They could also develop and implementmanual treasury processes to use during a connectivity outage.

Both strategies provide a workaround for DDOS-based outages, buteach has its issues.

“Using the SWIFT network, treasury departments can access theirbalances and initiate transfers and almost any other process,”LaRock says. “However, some tools like anti-fraud PositivePay andPayee PositivePay are not accessible over the SWIFT network.”

On the other hand, developing an internal manual process justinvolves a pencil and a piece of paper. “It will be time consumingand would not be suitable for running a treasury department for anextended period,” he says. “Yet it should work for a few hours or afew days.”

For additional coverage of this issue, see Bank Cyber Attacks Enter Fifth Week, Hackers Attacking Banks Have Sophisticated Tools (Reuters)and Cyber Attacks on Banks Expose U.S. Vulnerability.