February 25, 2016

Cyber Risk – No Longer Simply an “IT” Issue (article)

“The United States faces unprecedented cyber security threats.”
-Tom Ridge, former Homeland Security Secretary

“Management and the Board . . . [must] hold business units accountable . . .”
- Board mandate prescribed by the FFIEC Cybersecurity
Assessment Tool, June 2015

Cybercrime is costing the global economy nearly half a trillion dollars a year, according to the insurer Allianz. The persistent threat of internet attacks is no longer simply an “IT” issue; it has become a business issue facing all industries, especially the Financial Services industry.  The American Bankers Association warns that as consumers and businesses rely more on electronic devices such as computers, tablets and smartphones to bank and shop online, vulnerabilities increase. 

Once largely considered an IT problem, the rise in frequency and sophistication of Cyber-attacks now requires a shift in thinking on the part of Bank CEOs that management of a Bank’s Cybersecurity Risk is ... a CEO and Board of Directors issue.1

Criminals are constantly searching for new ways to take money and data from banks and customers through fraud and cybersecurity vulnerabilities.  Chris Roach, Houston-based Managing Director, National IT Practice Leader at CBIZ Risk & Advisory Services, recalled an incident where a hacker who was in a large association management company’s system monitoring user internet activity for access to bank websites.  When a user responsible for bank transfers accessed the company’s bank account, the hacker intercepted the user name and password and within seconds transferred $300,000 to an overseas account.

Banks also bear risks for customer and vendor cyber weaknesses. Cyber crooks hacked into the email system of a construction company and ordered money transfers from its bank account. Over the period of five consecutive nights, $100,000 a night was taken out of the corporate checking account. When the bank refused to reimburse the company, the owner sued and finally won2 although it was somewhat of a hollow victory since legal costs ate up most of what the bank paid. For the bank, obviously, there’s the judgement and the legal fees to be paid. Nobody wins but the cyber crooks. 

What’s at stake? Regulatory compliance and fines, increased regulatory scrutiny, stakeholder concerns, liability, litigation, business interruption, risk to brand and reputation are top concerns. The cost of a data breach in dollars can be significant – averaging $3.79 million.3

From “Best” Practice to “Essential” Practice

Experts agree that cybersecurity – both prevention and protection measures – must be enmeshed in business processes. These should include both risk analysis through assessment and risk mitigation through the growing pool of cyber-focused insurance products and internal operational safeguards.

At the 2015 Bank Holding Company Association Meeting, Don Musso, President and CEO of financial institutions management consulting firm, FinPro, pointed out that cybercrime is continuing to evolve. Banks must continue to keep up with cybersecurity. Industry professionals suggest:

  • Institute a cybersecurity culture, coming from the Board down, and integrate cybersecurity into your enterprise risk management (ERM) program.
  • Improve education and training across the organization.
  • Keep pace with cyber threats; banks must stay aware and inform employees of new threats.
  • Prioritize areas in order to allocate the appropriate resources to mitigate the largest risks.
  • Perform simulations to improve responses.
  • Determine if you have the proper skills and expertise on staff; if not, secure them through hire or consultancy.
  • Explore cybersecurity insurance.
  • Evaluate whether employees should be permitted to use personal devices to connect to the network, as this may inadvertently open the Bank to additional risks.
  • Utilize the Federal Financial Institutions Examination Council (FFEIC) assessment tool.

Insurance Requires That You Understand and Manage Your Risk

Traditional insurance can be based on hundreds of years of historical data; insurers can look back, see where the losses came from, and they price accordingly. The cyber market is still young and developing. Coverage may not even be offered unless protections and protocols are in place. 

Bank insurance policies (particularly Directors and Officers insurance and Cyber insurance) are not standard. Policy language and required procedures imbedded within the policy can expose an organization to under-insured or uninsured risk. A checklist like the sample below will help you review and assure proper coverage. 

Directors & Officers


Bank Bond


Cyber Liability


1. Coverage included for serving on Non Profit boards


33. Coverage for debit card losses


61. Coverage if vendor loses bank customer data


2. Can the carrier cancel the policy mid-term?


34. Safe Deposit includes both liability and loss of property


62. Encryption required for off-site devices (laptops) to maintain coverage


3. Insureds have the ability to pick their own attorney


35. M & A – Policy continues unless acquisition is > 25%


63. Coverage for loss of data either electronically or paper


4. Includes Hammer clause that may force the Insureds to settle?


36. $50,000 or more limit for claims expense


64. Coverage for Website, Facebook, LinkedIn liability lawsuits


Sample of the CBIZ 100-point checklist against which policies can be reviewed.

Additional Resources

If this topic is of interest or within your sphere of responsibility, you will find relevant topics on our blog (search “cyber”). You may also find our Cybersecurity Quick Assessment and Sample Bank Insurance Review to be helpful. 

If you have questions or comments, feel free to contact Kris St. Martin, VP and Bank Program Director, CBIZ Insurance Services, (763) 549-2267.


1Conference of State Bank Supervisors Cybersecurity  101 Resource Guide for Bank Executives.

2As cybercrime proliferates, so does demand for insurance against it, NPR, 11/12/15.

3IBM Global Technology Services – Special Report from Ponemon Institute, LLC – 2015 Cost of Data Breach Study: Global Analysis.

Accelerated Recovery Resources

Access articles and tools to help your business generate cash, improve leverage, and align & transform as you recover from the pandemic.

COVID-19 Resources

Access all COVID-19 related articles to help your business respond to the pandemic.

Insights in Your Inbox