Financial institutions warned on cyber-insurance
Financial institutions must ensure they have adequate cyber-insurance to deal with the aftermath of any cyber-breach.
This comes as a growing number of financial institutions identify cyber-crime as one of their biggest challenges. A survey of broker-dealers, banks, mutual funds, insurers and hedge funds conducted in March 2014 by the Depository Trust & Clearing Corporation (DTCC) found cyber-crime to be their top concern. Twenty-four per-cent of respondents said it was the biggest risk to capital markets while 23% acknowledged it was a threat to their firms.
“There are a lot of variances of cyber-insurance language, and some are good, and some are relatively poor. Oftentimes there is little price difference between the two. It is essential that firms buy insurance that covers them across a number of the risks that cyber-crime poses,” said Roberta Anderson, partner at K&L Gates in Pittsburgh, speaking at the law firm’s seminar on cyber-risks and global security issues in London.
Coverage should mitigate liability for data breaches and regulatory actions such as fines. In addition, a sensible insurance policy should provide coverage to pay for forensic experts to determine the cause of the breach and crisis management such as public relations. Coverage should mitigate against lost income or extra expenses for Distributed Denial of Service (DDoS) attacks or theft, as well as hardware damage and extortion.
Of particular importance was regulatory coverage, said Anderson. “In the US, there are multiple rules at both a Federal level and State level. Buying the right insurance means you are covered across multiple rules and regulations and will assist in covering any penalties that may arise,” she said.
Disruptive cyber-attacks are becoming more effective at breaching security defences yet only 8% of IT managers said they had sufficient resources to handle such a crisis, according to a study by BT, published in July 2014. The research found that 41% of organisations globally have been subjected to a DDoS attack over the past year. DDoS attacks can cause major disruption for organisations. They can take down organisations' websites, overwhelm data centres or cause networks to grind to a halt and become unusable. “It is not a matter of if a business is going to be attacked, but when,” said David Bateman, partner at K&L Gates in Seattle.
A report –“Cyber-crime, Securities Markets and Systemic Risk” – produced jointly in 2013 by CPSS-IOSCO and the World Federation of Exchanges (WFE) found 53% of 46 exchanges surveyed had been subject to a cyber-attack over the preceding 12 months. Eighty-nine per-cent of those exchanges said cyber-threats presented a potential systemic risk to capital markets. Many of these malicious attacks stem from nation states, cyber-criminals, or most commonly disgruntled employees. The costs of cyber-crime can be staggering and well into the billions. A recent speech by the Director General of MI5 said that one London business had lost £800 million because of a cyber-attack.
Cloud security was also discussed. A number of managers outsource their technology operations to private cloud providers, operated by firms such as Eze Castle. However, a handful do still elect to outsource to public clouds operated by Google, Amazon or Microsoft. “Clouds can cause problems insofar that an unscrupulous cyber-criminal might share a firm’s IP address on the cloud. Should that individual be targeted by enforcement agents, the IP address could be shut down leaving the firm unable to use their technology,” said Bateman.
Financial institutions were also warned against their lax mobile phone and tablet security. “People treat their desktops and mobiles completely differently. The security on desktops tends to be far more substantial whereas people will willingly download apps on their phones without hesitation yet store sensitive materials or work information on their mobiles or tablets. If there is an internet connection, there is a high-risk the phone or tablet could be targeted by cyber-criminals,” he said.
Regulators have taken note of cyber-threats. The Securities and Exchange Commission (SEC) in the United States announced in February 2014 that it would conduct a review on the policies and safeguards asset managers have in place to mitigate the risks of cyber-attacks as part of its investment adviser examination program.
The review will scrutinise whether managers are adequately protecting themselves against potential security breaches as well as the risks associated with other vendors who have access to their data and systems. The SEC also confirmed it would be looking at firms’ policies on IT training, vendor access and due diligence, while the agency also said it was considering a requirement that would force asset managers to report significant cyber events to regulators.
UK regulators are also taking an interest. Asset managers must ensure they have effective business continuity plans (BCP) and exit strategies in place with their technology vendors in the event of that service provider defaulting or running into operational difficulty if they are to avoid falling foul of the Financial Conduct Authority (FCA).