• A bank customer stops in a coffee shop with WiFi accessibility, and logs onto her online banking account. Two tables down-or in a back room-a criminal uses a WiFi "sniffer" to extract the account number and log-in information.
• A third-party marketing firm, engaged by the bank to send out notices and forms to customers, mistakenly includes Social Security numbers on the address labels.
• A bank employee finds a key ring, with a flash drive attached, in the bank parking lot. Innocently seeking to identify the owner, the employee inserts the flash drive into a bank-network-connected computer. Harmful code on the drive quietly evades all the bank's firewalls and protections.
"Those vulnerabilities go beyond the typical cyberthreat," says Kevin Kalinich, global practice leader of professional risk solutions, Aon Risk Solutions. His advice: "Engage more than just IT and Security. Include Human Resources to train and monitor employees. Engage Research and Development and Legal. At least quarterly and probably monthly, have meetings so the different sections aren't siloed."
"All companies store information, such as billing information and employee information," notes Jason Glasgow, cyberrisk product manager at Traveler's Insurance. "Now they need to worry about how that data is stored and protected."
Robert Parisi emphasizes that banks should continue the efforts that have been effective so far in combating cybercrime. Parisi, FINPRO cyber and technology product lead with Marsh USA, says these include having IT forensics experts do penetration testing and evaluate policies and procedures.
Role of insurance
As important as these steps are, increasingly banks are exploring a line of protection dubbed cyber insurance, as an adjunct to risk management.
Tim Stapleton, assistant vice-president/product manager of professional liability, Zurich North America, describes how this insurance could apply in a data-breach situation:
"Once a breach occurs," he says, "banks have to conduct a forensics exam. They may have to notify potentially affected customers. They may have to provide credit monitoring or identity monitoring, or some sort of remediation service. They may have to consult with a public relations firm.
"All these are first-party expenses," says Stapleton, "typically covered by an insurance policy. This is a crisis management situation, [so] you want to have immediate access to a network of specialists who can help you navigate through that crisis, along with a policy that will actually pick up the expenses associated with it."
A possible conundrum when considering such coverage: "How do we know what threats to protect ourselves from when the threats themselves are evolving so rapidly?"
The answer: Make sure the policy is written not against specific perils, but against generally described perils. "You want to customize the policy to state that it is intended to cover data breaches, security breaches, where the bank is responsible, without identifying the specific threats," says Aon's Kalinich.
The cyber insurance product at Traveler's, for example, has insuring agreements that provide coverage to fit differing needs, notes Tim Francis, the insurer's cyber insurance lead.
The cost of such coverage varies widely from bank to bank. Aon Risk Solutions publicly describes premium costs ranging from $5,000 to $25,000 per $1 million for small entities, to $10,000 to $50,000 per $1 million for large entities.