Skip to navigationSkip to content
OPERATING SYSTEMIC RISK

The new systemic risk for US banks: Windows XP

Former Microsoft CEO Steve Ballmer
Reuters/Dan Chung
The end of support for Steve Ballmer’s XP—shown here in 2001—could be a big problem for US banks.
This article is more than 2 years old.

Forget arcane mortgage bonds, toxic derivatives or a swiftly shifting regulatory landscape.

There’s a new systemic risk for the banking system to worry about. Or perhaps you might say, an operating systemic risk.

The Federal Reserve is warning US banks to prepare for a looming April 8 deadline, at which point Microsoft has stated that it will be ending its support for Windows XP, the operating system created in 2001. That means the tech company will no longer offer security patches—fixes which address potential vulnerability to cyberattack—or tech assistance. Microsoft has been urging its customers to switch to Windows 8.1.

warning in a letter:

Potential problems include degradation in the delivery of various products and services, application incompatibilities, and increased potential for data theft and unauthorized additions, deletions, and changes of data.

The Fed—which has a broad regulatory responsibilities for parts of the US banking system—is taking the software change seriously and has issued specific warnings to community banks—as opposed to large Wall Street banks—as they may be more vulnerable to security breaches due to their smaller size. The Fed is urging them to prepare for security lapses to teller machines and other technological systems after the XP deadline passes:

Community banks are being targeted by cybercriminals through corporate account takeovers and ATM cash-out and other fraud schemes. The increasing complexity, sophistication, and frequency of cyberattacks require that banks remain attentive to elevated and evolving information security risks. Community bankers should engage their user groups and have direct discussions with their technology service providers to ensure that they are properly addressing cybersecurity risks, including “end of life” for XP support.

The XP software switch comes as security breaches at retailers like Target Corp. have put the spotlight on the older technology that some banks and credit card companies have been relying on. Even so, the Fed expects that some banks won’t upgrade their systems before the April deadline, which could expose them to security breaches.

While most banks intend to migrate their applications to run on a supported operating system, the reality is that some may miss the deadline. As a result, these banks will run on unpatched systems.

📬 Kick off each morning with coffee and the Daily Brief (BYO coffee).

By providing your email, you agree to the Quartz Privacy Policy.