April 17, 2018
What cyber insurance can and can’t do for banks
By: Valerie Abend

Commission, committees and councils. In the last few weeks, there’s been no shortage of government regulators and legislators chiming in on cybersecurity measures. Shortly after the recent Securities and Exchange Commission (SEC) guidance and a hearing by the House Financial Services Committee (see my colleague’s blog), the Federal Financial Institution Examination Council (FFIEC) released a joint statement on cyber insurance, providing helpful tips for institutions on how to evaluate different policies and potential gaps in current coverage.

Why are banking regulators focused on cyber insurance right now?

Government agencies and regulators have good reason for focusing on cyber insurance, given continuing escalation of cyber attacks such as ransomware, data breaches and the all-too-common distributed denial of service attacks that continue to plague our financial institutions. While rarely catastrophic, these events create both direct and indirect costs to banks. In a recent study we conducted with Ponemon Institute, we found that the number of ransomware attacks doubled in the last year, taking about 23 days to resolve and costing institutions millions of dollars.

Smaller organizations experience a higher proportion of cyber crime costs relating to malware, web-based attacks, phishing and other social engineering attacks, and stolen devices. Part of what FFIEC members are highlighting is that general liability and business interruption insurance policies don’t always provide sufficient coverage for all potential exposures caused by such cyber events. Evaluating and comparing policies and offerings might be a good idea, particularly for smaller institutions.

So what can cyber insurance do to help banks?

At a minimum, cyber insurance can provide two important benefits.

  1. A cyber health check. Most cyber insurers require an assessment to help determine the insurance company’s risk in the underwriting process. Think of it like the physical exams that some life insurance policies require. If organizations use a sound assessment methodology that includes real-world adversarial simulations—beyond just paper-based reviews—banks can identify the biggest cyber risks and the gaps it needs to prioritize.
  2. Financial assistance in the face of an attack. Like any insurance policy, cyber insurance can provide peace of mind—the kind you get from knowing that the insurance company will cover certain losses. These could include the costs of ransom payments, paying for customer credit freezes and reports, regulatory fines, legal defense and other costs.

But there’s more to this than just helping individual banks. Expanding the cyber insurance market could also provide benefits beyond those received by insured banks. For example, larger volumes of actuarial data about breaches could improve underwriting.

That said, there is much that cyber insurance can’t do. It doesn’t actually fix the holes in the processes or technology that assessments identify. For example, it doesn’t make bank employees any less likely to click on phishing emails. It also doesn’t stop or deter bad guys from attacking, and the insurance won’t help repair an institution’s reputation once customers are notified that their personal information may have been compromised.

So, all told, while cyber insurance has benefits, it is only one tool in the overall risk mitigation tool box. Given that smaller institutions are at a disadvantage when it comes to having the resources to thwart sophisticated attacks, it might also be helpful for smaller banks with limited resources to focus on three control areas that can provide some of the biggest bang for their buck against cyber criminals:

  • Privilege and critical access management. It is especially important to control access rights that enable system-wide changes or changes to critical systems, as well as the ability to access and authorize critical business processes and data.
  • Incident response and crisis management. Few businesses can survive 23 days of being offline due to a ransomware attack. That is why it is critical to reduce the time required to detect when an attack is imminent or underway. Likewise, an institution must have playbooks that clearly describe response roles, responsibilities and options and that incorporate a holistic approach across the bank. And then, practice, practice practice.
  • Asset management. It is very difficult for any company to protect, manage (patch) or reconstitute its business operations if it doesn’t know what systems it has and how they operate. Core to cyber risk management is having a clear understanding of the assets—including hardware, software, data and, of course, who has access to these assets. It’s also critical to have a documented process for maintaining the inventory over time.

And don’t forget: You should expect that these types of activities do not stop at a bank’s walls (or firewalls) but rather extend to bank’s third parties.

In the end, the FFIEC members’ joint statement may help further spark the developing cyber insurance market, but it won’t be fast enough in the race against ever-increasing cyber threat adversaries. So, if you are contemplating cyber insurance for your bank, first ask yourself, are you sufficiently resourcing the controls that bad guys most often target and do you have confidence in the bank’s ability to respond and recover if they are compromised? After you feel more prepared, then maybe add cyber insurance.

Important note: The content in this blog is general in nature. It is not, and is not intended to be relied on as, advice. It should not replace the expertise of qualified professionals, and readers should seek advice specific to their organization’s needs, which may vary and require unique action.

Popular Tags

    More blogs on this topic