Risk. Cyber Black Swans. Tesco Bank

How organized do you have to be to access 40,000 accounts in a matter of hours? Does a third of your customer base normally log in on a Saturday night?

It won’t be the dollar loss that makes this a black swan event – if the average loss is 1000 pounds per accessed account, it will top out at 20 million or so. What makes this potentially spectacular is the way the bank got owned – this is a bank robbery- not just a few account holders being infected with ZeuS or another banking trojan. The bank’s accounts have been delivered to a group who can organize the theft of tens of thousands of accounts in a matter of hours.

Tesco Bank has an Enterprise Risk Management framework, where of particular note is the operational risk from Cyber Crime.  The board is responsible for reviewing the risk management arrangements and internal controls that offer reasonable, but not absolute, assurance against fraud and loss.

The board considers that the group is properly resourced and skilled has in place adequate systems and controls in the context of being a bank to avoid or minimize loss.

Do they still think that is true?

Before Saturday night, what would you think is the probability of this event happening? In an attempt to make risk management a science, we’ve made it too complicated.

People rob banks because that’s where the money is.- Willie Sutton.

UPDATE: There’s a dark market advert claiming to have an insider at Tesco Bank too – we’ll see how this unfolds.