Assignment 2.

1: The 2016 Bangladesh Bank Hack

Review and Analysis: Duty of Care

Nicholas Wicker

Program of Cyber Security Operations & Leadership, University of San Diego

CSOL 540-01-FA22: Cyber Security Law and Privacy

Dr. Michelle Moore

September 19, 2022

Penalties and punishments for cybercrimes continue to be constructed or revised as

innovative technology is developed and used for criminal activities such as hacking and fraud.

Unfortunately, at times, laws are established after a crime has been committed and the victims

are recovering and restoring their lives from the damage that occurred from a breach or

compromise. An integral part of punishing the offenders and accomplices is at times presenting

evidence that duty of care was violated. According to the Legal Information Institute (2022), this

doctrine is a fiduciary duty requiring directors and/or officers of a corporation to make decisions

that pursue the corporation’s interests with reasonable diligence and prudence. This fiduciary

duty is owed by directors and officers to the corporation, not the corporation’s stakeholders or

broader society. The American Law Institute's Principles of Corporate Governance defines the

duty of care as the duty by which a corporate director or officer is required to perform their

functions in good faith; in a manner that they reasonably believe to be in the best interests of the

corporation; and with the care that an ordinarily prudent person would reasonably be expected to

exercise in a like position and under similar circumstances (negligence standard). To expand on

the duty of care, we will use a case study on the Bangladesh Bank Heist of 2016

Background

In February 2016, $81 million was stolen from the Bangladesh Central Banks’ account at

the New York Federal Reserve and transferred to accounts in the Philippines. This heist was

orchestrated through cyber-attacks and is an example of how computer crimes can cause

significant harm and damage to business operations. The cybercrime would eventually be

identified as a nation-state attack and according to investigators, the digital fingerprints lead to

the government of North Korea (BBC, 2021). Although the transaction of funds occurred within
less than 24 hours, the phishing attack was launched in the previous year, 2015, via an

innocuous-looking email that had been sent to several Bangladesh Bank employees.

According to FBI investigators, the malicious email was downloaded which provided an

entry point into the bank's systems. The attackers began stealthily hopping from computer to

computer, working their way toward the digital vaults and the billions of dollars they contained

(BBC, 2021). The attackers were able to access the bank’s computer terminals that interfaced

with the Society for Worldwide Interbank Financial Telecommunication (SWIFT) system and

sent fraudulently authenticated SWIFT messages directing the Federal Reserve Bank to transfer

funds from Bangladesh accounts to four accounts that were created at the Rizal Commercial

Banking Corporation (RCBC) branch in Manila.

Duty of Care

An organization can have the most sophisticated state-of-the-art security systems in the

world, but if attention to detail and due diligence are not instilled and personnel becomes

complacent, then criminals can exploit and take advantage of a weakness. Human error played a

critical part in the attack. Education and awareness can help professionals identify malicious

activity and at several points during which the theft was in progress, it is possible the events

could have been stopped where there was an emphasis on the duty of care (TheOneBrief, 2019):

 In Manila, workers at the Riza Commercial Banking Corporation allowed the attackers to

open accounts using fake driving licenses; these accounts were then used to receive and

traffic stolen funds.

 There is evidence that the workers who installed the SWIFT system in BCB did not

follow official guidelines and that could have opened security vulnerabilities.
  There is also evidence of slack procedure in New York: There were numerous

inconsistencies in the fraudulent SWIFT orders which should have been spotted.

There could be difficulties due to international laws holding accountability to a specific

entity responsible for the cyber heist. Although it has been noted that the malicious software was

able to make its way through the Bangladesh Central Banks network, there are concerns about

what authentication protocols were not implemented or overlooked for network activity or

transactions of high monetarized values being deposited in international accounts. For example,

Reuters reported the first 35 messages from Bangladesh Bank were rejected for incorrect

formatting, the hackers simply fixed the formatting and sent another 35 requests for payment to

the same beneficiaries as before. This time the New York Fed cleared five of them, despite the

oddities. They were properly formatted, SWIFT authenticated and went through automatically

(Das & Spicer, 2016). An alert or notification should have flagged these requests and required a

physically authorized person to review and confirm the authenticity of these transactions.

It can be argued that the duty of care doctrine has been violated in that proper measures

and assurances of safeguarding the systems and funds was adequate. Additionally, authentication

mechanisms were not implemented in such a way that would deter, thwart, or deny unauthorized

access. There is a legal obligation in which all parties managing and approving transactions

adhere to reasonable care as each entity is entrusted with safeguarding sensitive information.

There is a fiduciary responsibility incumbent on each organization. The obligations can

cover a broad spectrum when the requirement is to protect information and disclose the loss or

compromise of data or information systems. Obligations can include duties such as (Schreider,

2020):

 Provide reasonable security

 Accurately disclose safeguards

 Protect information

Responsibilities and Penalties

New York

When partnership relations or contractual agreements are established, the responsibility

of protecting information is to ensure that the client can be assured they are protected. The

criminal and civil liabilities of each organization will differ per international laws although, in

the United States, such Federal crimes are punishable via the Department of Justice. Enacted in

1986, the Computer Fraud and Abuse Act (CFAA) has established the basis for computer crimes

and has been amended to stay abreast, as best as possible, in the advancement of technology and

cybercrimes. The table in figure 1 provides a list of offenses and sentences applicable under the

CFAA.

Figure 1. Summary of CFAA Penalties - (DoJ, 2010).

Bangladesh could seek damages related to money laundering and other cybercrimes that

compromised the SWIFT network. These cases can also include tort laws should harm to a

person be discovered. There is also the question of authority and how New York will be able to

enforce any action in the matter, as most of the steps of the cyber heist took place outside of the

United States.

Manila

The Monetary Board, the Bangko Sentral ng Pilipinas's (BSP) policy-setting body,

approved a P1-billion fine against RCBC for the $81 million of stolen funds belonging to the

Bangladesh Bank. RCBC will comply with the Monetary Board Resolution No. 1392 by paying

the central bank for "non-compliance with banking laws and regulations in connection with the

$81M Bangladesh Bank Cyber Heist" (GMA News, 2016). There have been other cases filed by

Bangladesh with support from the New York Federal Reserve against RCBC, although they have

either been dismissed or are still in progress. As mentioned previously, an issue that could hinder

such claims could relate to authority.

Defending Attacks

The potential for people to fail to perform their duties correctly is always a reason

organization has security protocols and guidelines. These can be meaningless if they are not

followed or enforced. Organizations need to ensure their staff are properly educated and trained

in what to do, how to do it, and educated in the consequences of failing to follow proper

processes. However, there needs to be a review and confirmation that the protocols and

procedures set to support the system and the mechanisms to alert or deny unauthorized activities.
 Protocols must be continually tested and reviewed and, where needed, altered to make

sure they can confront the threats posed by an ever-changing risk landscape. Or they need to be

built in a way that captures even the most extreme eventualities. The BCB robbery teaches us

that in an age of continually evolving cyber threats, there is no such thing as invulnerability.

In summary, the cyber heist of Bangladesh Bank was a warning to the world.

Cybercrimes will continue to grow in scale and severity as more devices become connected and

more countries provide access to networks. Cybercriminals are skilled, and their real success is

exploiting vulnerabilities in the organizations they targeted – vulnerabilities that may have been

invisible beforehand or could have been mitigated if adequate steps were taken to remove the

point of exploitation. By looking at what happened and identifying the key weak points – in

understanding vulnerabilities, maintaining security procedures, training employees, and testing

processes – companies can work to mitigate similar weaknesses in their organizations. Each

organization must assess the risks applicable based on its profile and make these policy

determinations. Stakeholders and leadership must learn from the mistakes of others and consider

implementing some of the directives imposed by regulators in enforcement actions against other

companies. There are always changes in what is permissible, and those updates should be a part

of the ongoing defense-in-depth process.

BBC. (2021, June 20). The Lazarus Heist: How North Korea Almost Pulled Off a Billion-Dollar

Hack. Retrieved September 14, 2022, from https://www.bbc.com/news/stories-57520169

Das, K., & Spicer, J. (2016, July 21). How the New York Fed fumbled over the Bangladesh Bank

Cyber-Heist. Retrieved September 16, 2022, from

https://www.reuters.com/investigates/special-report/cyber-heist-federal/

DoJ. (2010). Prosecuting Computer Crimes - United States Department of Justice. Retrieved

September 17, 2022, from https://www.justice.gov/criminal/file/442156/download

GMA News. (2016, August 5). Bangko Sentral slaps P1-B fine on RCBC for stolen Bangladesh

Bank Fund. Retrieved September 17, 2022, from

https://www.gmanetwork.com/news/money/companies/576498/bangko-sentral-slaps-p1-b-

fine-on-rcbc-for-stolen-bangladesh-bank-fund/story/

Legal Information Institute. (2022, January). Duty of Care. Retrieved September 13, 2022, from

https://www.law.cornell.edu/wex/duty_of_care

Schreider, T. (2020). 2.4 Duty of Care Doctrine. In Cybersecurity Law, Standards and

Regulations (2nd ed., p. 48). Essay, Rothstein Publishing.

TheOneBrief. (2019, September 13). The Bangladesh Bank Heist: Lessons in Cyber

Vulnerability. Retrieved September 17, 2022, from https://theonebrief.com/the-bangladesh-

bank-heist-lessons-in-cyber-vulnerability/