CYBER EXPOSURE OF THE BANKING & FINANCE INDUSTRY
Cyber incidents and their fall out continued to make more headlines in the past year across a broad range of industries and businesses. It’s no surprise then, that larger corporates and financial institutions are becoming increasingly aware of their and, significantly, their customers’ cyber risks.
65% of banking executives surveyed in a 2015 risk management study expect cyber risks to increase. The exposure of banks came to sharp focus in early 2015, when security firm Kaspersky uncovered one of the largest cyber crimes in history that directly targeted banks. They discovered that cyber criminals had gained access to_____ bank systems via spear phishing attacks on employee systems and the installation of Malware, known as Carbanak. Through the attack, the criminals were able to infiltrate banking systems and mimic bank staff conduct to withdraw up to an estimated US$1 billion over the course of about two years.
The attack was highly sophisticated, with each withdrawal being orchestrated over a number of months and across numerous countries, including Australia, Brazil, Bulgaria, Canada, China, Czech Republic, France, Germany, Hong Kong, Iceland, India, Ireland, Morocco, Nepal, Norway, Pakistan, Poland, Romania, Russia, Spain, Switzerland, Taiwan, the United Kingdom, Ukraine and the United States.
The banking and finance industry also had to deal with the impact of other cyber incidents, notably the Target attack. Millions of Target’s customer base were asked to cancel credit cards and change passwords due to the extraction of millions of customer account records held by Target.
Ratings agencies are taking notice. Standard & Poors recently indicated it may downgrade their ratings on banks that suffered a cyber incident that caused reputational damage or did not appear ready to handle a cyber incident (before a breach has occurred). Moody’s have also indicated they will examine the duration and severity of a cyber incident to determine its credit impact, making cyber security a higher priority in its credit analysis.
ENHANCING CYBER PROTECTION – GETTING THE BASICS RIGHT
Given their exposure, it is no surprise that the banking and finance industry are leaders in cyber protection. We have identified below key protection measures that, in our experience, have been implemented across the industry and can benefit all businesses.
No company is immune to a cyber incident. However, and critically relevant for insureds and insurers, many of these measures can significantly mitigate the damage caused by a cyber incident. This, in turn, will limit the quantum of potential claims under cyber policies.
As always, cyber insurance is just one measure to be adopted – but it is the last line of defence.
Before a company can implement effective cyber protection measures, it needs to identify and assess its internal and external risk factors. This requires an audit of all aspects of a company’s business, particularly its data collection, regulation, security and customer and vendor management.
Thereafter, the measures discussed below should be considered.
- Implement, maintain and update IT security policies and procedures, personnel policies and device level policies
These policies and procedures (particularly the inculcation and operationalisation of these within an organisation) are an essential part of ensuring that cyber risks are considered and measures implemented to mitigate these risks. It is impossible to over emphasise the importance of reviewing and updating these policies on an ongoing basis – given the rapidly changing nature of the threat environment and the increasingly sophisticated methods used by cyber attackers, what constitutes “best practice” approaches and procedures can change in a matter of days and weeks, not months or years.
- Develop and implement effective compliance training and personnel education processes
It is important to foster an environment in which the importance of effective data management and security is understood, and implementing ongoing monitoring of compliance with policies and attendance at training. “Social engineering”, the exploitation of the human element of organisations, is one of the key methods used by attackers to perpetrate an attacks (this includes techniques like phishing and impersonation). Social-Engineer, Inc, a company that helps organisations learn how to combat and mitigate the effects of malicious social engineering, has reported that social engineering is used in over 66% of all cyber attacks. It is therefore critical to ensure that personnel are educated about how they can assist in protecting their organisation against cyber attacks, and that their compliance with mandated policies and processes is monitored and regularly reinforced through compulsory training.
- Enhance vendor management processes
Organisations need to understand the interconnected nature of cyber risks. A key risk area that has been targeted in many high profile incidents is the connections between organisations and their external vendors. This extends beyond IT vendors – the initial point for entry for the Target credit card attack in 2013 was a heating, ventilation and cooling (HVAC) system provided by a third party vendor. An organisation should develop, implement and maintain:
- strong and effective governance of vendor security, which includes gateway reviews, mandatory security requirements built into contracts, and the exercise of audit rights being exercised on a regular basis to periodically confirm compliance;
- policies, systems (including technologies) and processes to ensure that any third party providers of infrastructure services cannot access information stored on or passing through that infrastructure unless authorised; and
- offshoring and/or outsourcing policies and standards to which the organisation has reference when engaging external vendors.
- Develop incident response plans for specific data breach or security issues and a process for periodic review and updating of the plan
The implementation of a comprehensive and tested incident response plan is critical to effectively manage a cyber incident. They should cover:
- the composition of an incident response team and protocols for communicating amongst the team (which must take place through off-band communication channels, given the risk that the security of on-band channels has been compromised);
- processes and protocols for communicating information to stock markets, relevant regulators, law enforcement bodies, insurers, affected individuals and the media;
- processes and procedures for analysing the attached and preserving evidence of it; and
- implementing recovery and business continuity plans (see further below).
The incident response procedures must be regularly tested and updated, particularly after any significant changes to business operations occur. A post incident review must also be performed and documented following any significant security incident.
- Develop, implement and regularly test and update business continuity plans and disaster recovery plans and facilities
Cyber extortion is on the rise and organisations must be prepared to face the encryption of, denial of access to or deletion of, critical data and systems. This has the potential to cripple many organisations. Business continuity and disaster recovery plans that can be implemented during a cyber incident are critical to minimising the operational effects on the affected organisation. Further, the preservation of evidence is required as part of any claim under insurance policies and/ or law enforcement investigations, which may require impacted systems to remain offline for a period.
- Test and update technologies and systems used
An area of obvious enhancement is within an organisation’s own systems and technologies. The inherent levels of security within an organisation’s deployed systems need to be regularly monitored, tested and updated. This includes:
- the IT architecture, systems security and IT access systems security in place;
- use of data loss prevention, intrusion detection, data exfiltration prevention and other relevant security monitoring and management systems;
- security testing processes such as penetration testing, vulnerability assessments, social engineering testing, including independent third party testers/reviewers (e.g. a “white hat” provider to undertake efforts to obtain access to its systems). Vulnerabilities identified must then be subjected to further review/removal;
- use of virus detection software which is continually updated as recommended by the vendor;
- where relevant, network segmentation, segregation and separation;
- security processes which automatically identify potential misuse/unauthorised use of data; and
- data back-up cycles which limit the impact of data becoming corrupted or encrypted by outside actors (and where such backed up data is also tested).
THE BENEFITS FOR INSURERS AND INSUREDS
The above measures are not new, but are fundamental to developing sufficient cyber protection within an organisation. They also greatly assist in reducing the loss suffered from a cyber incident.
It is therefore beneficial to both insurers and insureds for these measures to be properly implemented. In this respect, insurers may be able to assist in the widespread deployment of these measures.
As part of the proposal process, insurers can ask prospective insureds to provide details of the measures they have taken in developing their cyber protection. This will both highlight these matters to insureds and assist insurers to identify riskier insureds and price accordingly.
Insurers may also be able to, in conjunction with their partnered providers, offer “value add” services to insureds, especially those identified as high risk to assist them in developing their cyber protection while also reducing the prospect and quantum of future claims.
Looking forward, we expect these cyber protection measures to be widespread. Insurers, with the assistance of their preferred service providers, can help lead the charge in enhancing the first line of defence. This will, of course, be to the benefit of both insureds and insurers.