Menu
Banking Exchange Home
Menu

New cyber-threats…and ways to meet them

So far, hackers, phishers, and other high-tech criminals have been mostly thwarted by banks. However, new channels, more sophisticated criminals, and increased use of outsourcing are bringing new and insidious threats:

New cyber-threats…and ways to meet them

• A bank customer stops in a coffee shop with WiFi accessibility, and logs onto her online banking account. Two tables down-or in a back room-a criminal uses a WiFi "sniffer" to extract the account number and log-in information.

• A third-party marketing firm, engaged by the bank to send out notices and forms to customers, mistakenly includes Social Security numbers on the address labels.

• A bank employee finds a key ring, with a flash drive attached, in the bank parking lot. Innocently seeking to identify the owner, the employee inserts the flash drive into a bank-network-connected computer. Harmful code on the drive quietly evades all the bank's firewalls and protections.

"Those vulnerabilities go beyond the typical cyberthreat," says Kevin Kalinich, global practice leader of professional risk solutions, Aon Risk Solutions. His advice: "Engage more than just IT and Security. Include Human Resources to train and monitor employees. Engage Research and Development and Legal. At least quarterly and probably monthly, have meetings so the different sections aren't siloed."

"All companies store information, such as billing information and employee information," notes Jason Glasgow, cyberrisk product manager at Traveler's Insurance. "Now they need to worry about how that data is stored and protected."

Robert Parisi emphasizes that banks should continue the efforts that have been effective so far in combating cybercrime. Parisi, FINPRO cyber and technology product lead with Marsh USA, says these include having IT forensics experts do penetration testing and evaluate policies and procedures.

Role of insurance

As important as these steps are, increasingly banks are exploring a line of protection dubbed cyber insurance, as an adjunct to risk management.

Tim Stapleton, assistant vice-president/product manager of professional liability, Zurich North America, describes how this insurance could apply in a data-breach situation:

"Once a breach occurs," he says, "banks have to conduct a forensics exam. They may have to notify potentially affected customers. They may have to provide credit monitoring or identity monitoring, or some sort of remediation service. They may have to consult with a public relations firm.

"All these are first-party expenses," says Stapleton, "typically covered by an insurance policy. This is a crisis management situation, [so] you want to have immediate access to a network of specialists who can help you navigate through that crisis, along with a policy that will actually pick up the expenses associated with it."

A possible conundrum when considering such coverage: "How do we know what threats to protect ourselves from when the threats themselves are evolving so rapidly?"

The answer: Make sure the policy is written not against specific perils, but against generally described perils. "You want to customize the policy to state that it is intended to cover data breaches, security breaches, where the bank is responsible, without identifying the specific threats," says Aon's Kalinich.

The cyber insurance product at Traveler's, for example, has insuring agreements that provide coverage to fit differing needs, notes Tim Francis, the insurer's cyber insurance lead.

The cost of such coverage varies widely from bank to bank. Aon Risk Solutions publicly describes premium costs ranging from $5,000 to $25,000 per $1 million for small entities, to $10,000 to $50,000 per $1 million for large entities.

John Ginovsky

John Ginovsky is a contributing editor of Banking Exchange and editor of the publication’s Tech Exchange e-newsletter. For more than two decades he’s written about the commercial banking industry, specializing in its technological side and how it relates to the actual business of banking. In addition to his weekly blogs—"Making Sense of It All"—he contributes fresh, original stories to each Tech Exchange issue based on personal interviews or exclusive contributed pieces. He previously was senior editor for Community Banker magazine (which merged into ABA Banking Journal) and for ABA Banking Journal and was managing editor and staff reporter for ABA’s Bankers News. Email him at jginovsky@sbpub.com.

back to top

Sections

About Us

Connect With Us

Resources