The new systemic risk for US banks: Windows XP

The end of support for Steve Ballmer’s XP—shown here in 2001—could be a big problem for US banks.
The end of support for Steve Ballmer’s XP—shown here in 2001—could be a big problem for US banks.
Image: Reuters/Dan Chung
We may earn a commission from links on this page.

Forget arcane mortgage bonds, toxic derivatives or a swiftly shifting regulatory landscape.

There’s a new systemic risk for the banking system to worry about. Or perhaps you might say, an operating systemic risk.

The Federal Reserve is warning US banks to prepare for a looming April 8 deadline, at which point Microsoft has stated that it will be ending its support for Windows XP, the operating system created in 2001. That means the tech company will no longer offer security patches—fixes which address potential vulnerability to cyberattack—or tech assistance. Microsoft has been urging its customers to switch to Windows 8.1.

Windows XP is used to run everything from some bank’s internal computers to automated teller machines (ATM). In fact, the Microsoft operating system serves as the backbone for 95% of the ATMs operated in America, Bloomberg reports. So losing Microsoft tech support may translate into heightened security problems for financial institutions. An interagency standards body known as the Federal Financial Financial Institutions Examination Council included this warning in a letter:

Potential problems include degradation in the delivery of various products and services, application incompatibilities, and increased potential for data theft and unauthorized additions, deletions, and changes of data.

The Fed—which has a broad regulatory responsibilities for parts of the US banking system—is taking the software change seriously and has issued specific warnings to community banks—as opposed to large Wall Street banks—as they may be more vulnerable to security breaches due to their smaller size. The Fed is urging them to prepare for security lapses to teller machines and other technological systems after the XP deadline passes:

Community banks are being targeted by cybercriminals through corporate account takeovers and ATM cash-out and other fraud schemes. The increasing complexity, sophistication, and frequency of cyberattacks require that banks remain attentive to elevated and evolving information security risks. Community bankers should engage their user groups and have direct discussions with their technology service providers to ensure that they are properly addressing cybersecurity risks, including “end of life” for XP support.

The XP software switch comes as security breaches at retailers like Target Corp. have put the spotlight on the older technology that some banks and credit card companies have been relying on. Even so, the Fed expects that some banks won’t upgrade their systems before the April deadline, which could expose them to security breaches.

While most banks intend to migrate their applications to run on a supported operating system, the reality is that some may miss the deadline. As a result, these banks will run on unpatched systems.