Cyber security has been a focus of FINRA for a few years now, usually on the technical side. But what about the business concerns? About a quarter of cyberattacks are enabled by inadvertent actors: employees who mean well but click on a malicious link or use an outside email to send a file that is too large for the corporate security protocols. Approximately 31.5% of attacks are from malicious insiders, such as employees sent to a company for espionage, or disgruntled employees. Most attacks, 45%, originate from an outside threat, like competitors, foreign intelligence services, or hacktivists.
Reduce the impact of cybersecurity risk
So, what strategies can a financial services company use to reduce cyber risk? The first is to look at your and your vendors’ corporate governance and reporting structure for cyber security related issues, including written policies and procedures. Also, look at what resources are devoted to overall risk management, and specifically information security including insurance, information security testing, significant vendor management, internal training, and the integration of information security into business continuity and disaster recovery.
It’s time to consider cybersecurity insurance
Another way to mitigate concern is to obtain cyber security insurance, to hopefully reduce the cost of a cyber incident. FactRight has noted that some sponsoring entities and managing broker dealers have begun obtaining them in the past couple years. However, only 33.5% of the corporations responding to the SANS Institute InfoSec Reading Room survey had any type of cyber security policy. We believe this number will rise in the coming years are cybersecurity issues become more critical.
The main reason corporations obtained the policies was for data breach/privacy crisis management. Many headlines discuss these issues. However, some other reasons to obtain a policy are:
- multimedia/media liability - covers third-party damages, such as the defacement of websites and infringement of IP rights
- extortion liability - covers losses due to an extortion threat and the professional fees related to dealing with it
- network security liability - covers third-party damages resulting from the denial of access, costs related to data on third-party suppliers, and the cost of data theft on third-party systems
There are different types of coverage: liability (third-party) or first-party. Liability coverage protects a corporation from claims by its customers, employees, and business partners for breaches of their private information and some of the regulatory actions, notification costs, and industry (usually payment card) fines and penalties. First-party coverage helps the corporations cover the forensic costs for determining the cause of the breach, sometimes the repair or replacement of the data, the “ransom” of an extortion, business interruption, and crisis management through the hiring of a consultant to navigate the public relations fallout.
What may be surprising to learn that the cyber coverage included in most general liability policies is very limited and contains many specific exclusions aimed at cyber-related costs. So, some key takeaways are:
- use an insurance broker experienced in cyber coverage
- ask for specimen policy forms, not promotional materials, to review actual policy language to negotiate the terms in your favor
- when claims arise, be skeptical of any denial of coverage
- Insurers will typically deny coverage when it is a close call
It pays to be proactive now
When it comes to cyber security, everyone should expect to see headline and regulatory developments in this area over the next few years, both positive and negative. Knowledge of your company and vendors is important, and when researching cyber security insurance, know that it is a currently buyer’s market allowing corporations to negotiate almost anything into the policies. However, that will not last for long as more organizations grasp the necessity of obtaining cybersecurity protection. We hope that it’s because you’re proactive, and not because you’ve learned the hard way.
