Cybercrimes continue to pose the greatest significant risk to the banking sector, ranging from standard phishing attack to a newer ATM jackpotting schemes that manipulate a machine to dispense larger amounts of money.
Many of the losses originate through human error, so it is critical to ensure all employees are trained on the newest phishing schemes and how to best avoid them. Cyber liability insurance claims represented the largest increase in the percentage of total liability claims, according to data from the American Bankers Association, rising from 19% in 2017 to 26% in 2018.
Several of the most-recent examples of covered cyber claims began when a bank employee succumbed to a phishing attack. This is where the employee clicks on a link provided by what is perceived to be a trusted source, which downloads malware. The malware often causes a breach of network security, providing the perpetrators with complete access to a bank’s networks. In some scenarios, the malware freezes the bank’s systems, and extorts executives for a “consulting fee” to return access of the internal systems. The fee is often in the form of bitcoin or another form of untraceable cryptocurrency.
While that can be a significant expense to the bank, the more-common claim scenario includes the expenses associated with the breach of network security. These can include, but are not limited to:
- Notification costs
- Forensics expenses
- Credit monitoring costs
- Establishing of a call center
- Hiring a public relations firm
- Obtaining legal advice, ensuring all discovery is protected by attorney-client privilege
Most cyber liability policies will cover to both breach remediation expenses, as well cyber extortion costs, as long as the third-party providers are approved by the carrier.
However, the loss scenario does not have to be limited to extortion or post-breach remediation expenses. As reported in 2018, a regional Virginia bank fell victim to an ATM heist for a total loss of $2.35 million. The fraud was initially caused by an employee who fell victim to a targeted phishing email, which allowed culprits to install malware on bank servers. The malware allowed thieves to disable the anti-theft and anti-fraud protections, including 4-digit PIN numbers and daily withdrawal limits thresholds. The bank succumbed to two separate instances of ATM thefts from this intrusion into their computer systems. The first resulted in a loss of $550,000 over a holiday weekend; the second resulted in a loss of over $1.8 million.?
- Make sure your employees are trained, and retrained, on how to detect a phishing e-mail and what to do if they suspect the e-mail may not be legitimate.
- If you have any network security third-party providers, confirm if they are already included under the cyber carrier’s panel counsel list, which is a list of pre-approved vendors with pre-negotiated rates. If not, try to get them added on a pre-approved basis. This would typically occur during the renewal of the cyber policy, not during a claim.
- If there is a breach of network security, make sure the cyber carrier approves all third-party expenses in writing, in advance, to ensure they will indemnify the bank for those expenses.
- If cybersecurity, cyber risk or cyber insurance is discussed during a board meeting, make sure to document that in the minutes of the meeting. We suggest that boards show that such discussions take place on a quarterly basis, which can result in those boards being viewed in a better light in the event of a cyber-attack.