The Newest Exposure Facing Community Bank Boards

Written by


cyberattack-8-30-19.pngCybercrimes continue to pose the greatest significant risk to the banking sector, ranging from standard phishing attack to a newer ATM jackpotting schemes that manipulate a machine to dispense larger amounts of money.

Many of the losses originate through human error, so it is critical to ensure all employees are trained on the newest phishing schemes and how to best avoid them. Cyber liability insurance claims represented the largest increase in the percentage of total liability claims, according to data from the American Bankers Association, rising from 19% in 2017 to 26% in 2018.

Several of the most-recent examples of covered cyber claims began when a bank employee succumbed to a phishing attack. This is where the employee clicks on a link provided by what is perceived to be a trusted source, which downloads malware. The malware often causes a breach of network security, providing the perpetrators with complete access to a bank’s networks. In some scenarios, the malware freezes the bank’s systems, and extorts executives for a “consulting fee” to return access of the internal systems. The fee is often in the form of bitcoin or another form of untraceable cryptocurrency.

While that can be a significant expense to the bank, the more-common claim scenario includes the expenses associated with the breach of network security. These can include, but are not limited to:

  • Notification costs
  • Forensics expenses
  • Credit monitoring costs
  • Establishing of a call center
  • Hiring a public relations firm
  • Obtaining legal advice, ensuring all discovery is protected by attorney-client privilege

Most cyber liability policies will cover to both breach remediation expenses, as well cyber extortion costs, as long as the third-party providers are approved by the carrier.

However, the loss scenario does not have to be limited to extortion or post-breach remediation expenses. As reported in 2018, a regional Virginia bank fell victim to an ATM heist for a total loss of $2.35 million. The fraud was initially caused by an employee who fell victim to a targeted phishing email, which allowed culprits to install malware on bank servers. The malware allowed thieves to disable the anti-theft and anti-fraud protections, including 4-digit PIN numbers and daily withdrawal limits thresholds. The bank succumbed to two separate instances of ATM thefts from this intrusion into their computer systems. The first resulted in a loss of $550,000 over a holiday weekend; the second resulted in a loss of over $1.8 million.?

Recommendations:

  • Make sure your employees are trained, and retrained, on how to detect a phishing e-mail and what to do if they suspect the e-mail may not be legitimate.
  • If you have any network security third-party providers, confirm if they are already included under the cyber carrier’s panel counsel list, which is a list of pre-approved vendors with pre-negotiated rates. If not, try to get them added on a pre-approved basis. This would typically occur during the renewal of the cyber policy, not during a claim.
  • If there is a breach of network security, make sure the cyber carrier approves all third-party expenses in writing, in advance, to ensure they will indemnify the bank for those expenses.
  • If cybersecurity, cyber risk or cyber insurance is discussed during a board meeting, make sure to document that in the minutes of the meeting. We suggest that boards show that such discussions take place on a quarterly basis, which can result in those boards being viewed in a better light in the event of a cyber-attack.

The Need for Secure Communications in the Boardroom

Written by


communication-5-21-19.pngBoards need to keep director communications secure, timely and accurate.

Communication can be a major challenge for busy board directors who need to touch base with their peers regularly, and it can introduce major security risks for the institution.

Boards tend to use different applications or multiple email accounts; the numerous multiple electronic platforms means that directors need to remember multiple user IDs and passwords. Directors sometimes resort to using their personal email accounts out of frustration with other systems or for personal convenience.

Many boards send sensitive internal governance communications through insecure communication channels. The use of personal email for internal board communications is widespread. A report Diligent Corporation conducted with Forrester Consulting discovered that 56 percent of directors use personal email for their board communications. Governance professionals and C-level executives also sometimes use their personal email for governance communications.

This is not a good practice. Cybercrime continues to evolve; attacks are increasingly sophisticated, and they are occurring with increasing frequency. Attacks are also becoming more complex, and recovering from digital breaches may become increasingly difficult.

Hackers specifically target directors, C-level executives and the people who support them in a tactic known as “whaling.” Hackers are keenly aware that boards regularly deal with information that is highly sensitive and confidential. Cyber criminals are likely to target high-profile individuals, threatening them with the release of private information unless they pay a ransom. When directors and other notable individuals use personal email accounts for corporate business, they are prone to falling victim to phishing and malicious cyberattacks that could harm the corporation.

Best practices for corporate governance require directors to communicate in ways that are secure, timely and accurate, and that reflect good governance principles. Encapsulated within the principles of good corporate governance is the need to use the right technology to support these efforts. Specific technology that protects the board’s internal communications can also streamline various processes. However, boards should look for specific tools with features such as remote wiping, given that nearly 30% of directors report losing or misplacing a phone, tablet or computer at some point.

The only way to keep sensitive and confidential information private is to use a secure digital messaging application. Look for applications that can work with existing digital infrastructure but are also secure. Some solutions help augment governance and accountability functions, which can address liability issues that email and other types of communications can sometimes create for board administrators and general counsels.

Probably the most difficult element of using secure communications in the boardroom is actually getting directors to use the technology. Getting board directors to change their habits can be a daunting task and something that can take time. However, with the right support and training, directors will be more willing to make the change.

Directors need to understand the importance of using the right technologies and why their current communication methods open the board up to risk. Assessing the security threat demonstrates to the board that the discussion topics and documents are highly sensitive and cannot risk being leaked. The right communication application should provide control to the administrator, with security being a top feature to ensure directors are protected.

Additionally, getting director buy-in from the start is crucial. It is important that boards realize what could happen if their emails are hacked and why they need to adopt secure communications avenues.

Providing your board of directors with the right reasons for needing secure communications is half the battle. Make sure your bank properly evaluates the various technologies to ensure that they will have the right training to properly leverage the tools.