What Are the Costs of Cyberattacks?

September 11th, 2017

cyberattack-9-11-17.pngBanks and other financial institutions are prime targets for hackers because criminals can gain access to financial and personal information that leads them to additional sources of funds. For the same amount of effort, corporate accounts give hackers access to much more data. Criminals are working hard to stay a step ahead of security experts, who are trying their best to protect corporate accounts.

Hackers are looking at the interconnectivity of mobile devices and other systems to find ways to squeeze in viruses and capture information. IT experts are also looking at how they can use interconnectivity to incorporate security tools for banks and other industries.

No system is as secure as banks would like for it to be, which makes it difficult for them to know how much insurance would be sufficient in the event of a breach if they are considering the purchase of coverage.

Any way you approach it, protecting against cyberattacks is an expensive proposition.

Banks and other financial institutions stand to lose more than funds and data. Other potential costs include the loss of brand reputation and losses due to exposure for not complying with security regulations.

Research from Kaspersky Lab and B2B International shows that the combined losses due to cybersecurity incidents cost banks about $1.75 million per incident, on average.

Several different things make corporate banking accounts difficult to protect. Corporations usually have multiple people listed on their accounts who need to be able to deposit, transfer and withdraw funds. Having different employees accessing the account on a regular basis, either in person or remotely, opens up opportunities for fraud. Transactions also tend to be larger on corporate accounts than on personal accounts, so there is more to lose.

Senior executives and directors don’t always understand the information that their tech departments provide about how they are protecting the bank’s various computer systems, so they have no way of assessing whether the security programs are effective. A 2017 report by MediaPro surveyed 809 employees working in the financial services industry and classified 80 percent of their employees as “risks” or “novices” relative to cybersecurity. Lack of awareness among financial services employees increases the risk of work practices that could lead to a security breach.

Cybersecurity expert Ariel Evans cautions managers at financial institutions to be aware of IT departments that take a “bottom-up approach” to cybersecurity, which only describes the implementation status of the control and stops at the system level, lacking the ability to detect vulnerabilities within the system. When these cybersecurity systems fail to tie in the business processes to the data assets and systems, the security essentially stops at the system level. A bank may have the most sophisticated, mature security system available, but its effectiveness is nil because it’s not being measured at all.

Evans recommends a top-down approach that ties the business impact of the assets and processes to cyber risk. This approach measures the risk posed to the assets and prioritizes remediation efforts. This information is also helpful to insurance providers since it provides them with more accurate information to offer cyber-risk insurance policies that cover adequate amounts in the event of a breach. (To learn more about why cybersecurity should be a concern for your organization, read this white paper written in conjunction with the NYSE to improve your cybersecurity practices.)

Financial institutions can protect their consumers with cyber risk insurance policies. Many experts question if banks are considering the full cost of what they would risk in the event of a cyberattack. Directors need to carefully assess if they have enough cyber risk insurance. Discussions will no doubt include weighing the cost of the insurance with the amount of protection it provides, due to the large amounts that could be lost in the event of a breach.

Having data about the effectiveness of cybersecurity systems is instrumental in keeping insurance premiums low enough to offset large liability limits.

Directors have a huge task in front of them as they make decisions about cybersecurity. They need to have assurance from the IT department that the security tools they use are mature and effective. They also need to understand all the layers of security, including making sure that they’ve taken steps to make employees aware of their responsibilities in keeping accounts secure. Finally, directors need to understand what their cyber risk insurance policies cover, as well as any limits, conditions and exclusions that apply.

dschindlinger

Dottie Schindlinger is Diligent Corporation’s governance technology evangelist and promotes the intersection of board governance and technology as a recognized expert in the field.

nprice

Nick Price is a content manager at Diligent Corp.