Cybersecurity Risk Management for Financial Institutions

Cybersecurity Risk Management
for Financial Institutions
RISK CONSULTING AND INSURANCE SERVICES

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS2
Cyber and Data Risks
“The persistent threat of internet attacks is a
societal issue facing all industries,
especially the Financial Services industry.
Once largely considered an IT problem, the
rise in frequency and sophistication of
cyber-attacks now requires a shift in
thinking on the part of Bank CEOs that
management of a Bank’s Cybersecurity
Risk is not simply an IT issue, but a CEO
and Board of Directors issue.”
SOURCE: Conference of State Bank Supervisors
Cybersecurity 101 Resource Guide

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS
Why is cyber risk a top concern?
3
Cyber crime is
exploding.
Regulatory compliance,
stakeholder concerns,
liability, litigation,
business interruption,
reputation . . .
there’s a lot to manage
and a lot at stake.

Cyber and Data Risks
4
In 2016, 88% of security attacks in the
finance industry fell into three
categories:
 48% Web Application Attacks
(14% in 2014)
Hackers find and exploit application
vulnerabilities, often content management
systems (CMS) or e-commerce platforms.
 34% Denial-of-Service (32% in 2014)
A denial-of-service (DoS) attack is an attempt to
make a machine or network resource unavailable
to its intended users. Ransomware falls in this
category.
 6% Crimeware (not ranked in 2014)
Use of a physical “skimmer” on an ATM, point-of-
sale (POS) terminal or gas pump to read the data
on your card’s magnetic strip as you pay.
SOURCE: Verizon 2016 Data Breach
Investigations Report - Financial Services
AllIndustriesFinancialServices

Data Breach in Dollars
Cost (US companies):
 $7.01M = average total cost
of a data breach
 $221 = average cost paid
per compromised (lost or
stolen) record*
 29,611 = the average
number of breached
records per incident
 $3.97M = cost of lost
business ($3.72 in 2015)
5
Mean Time to Identify
(MTTI) and Mean Time to
Contain (MTTC) metrics:
 $5.83M when MTTI < 100 days
 $8.01M when MTTI > 100 days
 $5.24M when MTTC < 30 days
 $8.85M when MTTC > 30 days
SOURCE: IBM Global Technology Services – Special
Report from Ponemon Institute, LLC – 2016 Cost of Data
Breach Study: Global Analysis*“Record” = Information that identifies
the natural person (individual) whose
information has been lost or stolen in
a data breach

Cyber risk is clear.
The question is, what is the best approach
for your institution?
We recommend a holistic approach to
risk – one that identifies vulnerability,
establishes internal controls, implements
IT barriers, mitigates the risk with a
cyber-specific insurance program, and
includes a recovery plan.
CBIZ Cyber Service Teams include financial, risk, IT
and insurance professionals who work with clients
from multiple perspectives to develop a
comprehensive protection plan customized to your
industry compliance requirements and your
organizational needs.
A HOLISTIC approach
includes Cyber Risk
Management (CBIZ Financial
Risk & Advisory Consulting) and
Cyber Risk Mitigation
(CBIZ Bank Insurance Program).

Cyber Risk Management
CBIZ Risk & Advisory Services
Business risks abound in today's world.
The rise of sophisticated data breaches
coupled with the increased demands on
organizational leaders make robust risk
management policies essential.
CBIZ Risk & Advisory experts work closely with you to
understand the full scale of your cyber risk, starting with
your industry’s unique risk factors and working down to the
specific security policies you have in place.
CBIZ can help you design or improve existing documented
policies, procedures and controls and can review existing
device configurations.
CBIZ risk consulting assesses and
manages the full spectrum of cyber risk.
For example:
 Security Program Review / Development /
Remediation
 Infrastructure Design / Assessment / Remediation
 Penetration Testing
 Vulnerability Assessments
 Web Application / Web Services Assessments
 Mobile Application Assessments
 Social Engineering and Facility Breach Exercises
 IT Risk Assessments / IT Audit and Compliance
Engagements
 Incident Response
 Digital Forensics / Litigation Support
 Service Organization Control (SOC) Reporting

The best
defense is a
good offense.
Having a proactive,
robust plan in place can
help minimize the
potential damage from a
breach and get your
organization back on
track more quickly in the
wake of a disruptive
event.
The first step is assessment.
Keys to Cyber Risk Management
Identify
Protect
Detect
Respond
Recover
IDENTIFY internal and external cyber risks – Risk
Assessment to identify threats/vulnerabilities,
measure/communicate risk.
PROTECT organizational systems, assets and
data – Internal Controls, Staff Training, Data
Security, Insurance.
RESPOND to a potential cybersecurity event –
Have a structure in place and routinely audit the
Incident Response Plan.
RECOVER from a cybersecurity event by restoring
normal operations and services – Disaster recovery
can be built into insurance coverage
DETECT system intrusions, data breaches and
unauthorized access – System Monitoring reinforces
Protection.

Important first step: Help your
organization quickly assess how prepared
you are to face cyber crime
12 Yes/No Questions
Rankings:
1. Beginner
2. Intermediate
3. Advanced
4. Proficient
If an organization ranks Beginner or
Intermediate, a more in-depth evaluation
is recommended.
9
Quick Preparedness Assessment
Click for downloadable copy

Cyber Risk Management
The Risk Advisor - Volume 4 (newsletter)
Lessons Learned from Cyber Incidents in 2016
(article)
3 Strategies to Reduce the Risk of Cyber-Attacks
(article)
Three questions every board should ask about
enterprise risks (blog)
Insights & Resources
7 Ways to Strengthen Cybersecurity: Questions to Ask
About Third-Party Providers (article)
Why Would an Accounting Firm
Go Diving in Your Bank’s Trash
Dumpster? (podcast)

As cyber threats have grown in scope
and impact, cyber insurance has
become a key feature of an enterprise-
wide cyber risk management strategy.
Risk transfer through cyber insurance bolsters
customer and business partner confidence and
supports industry expectations that a cyber risk
strategy is implemented.
CBIZ Insurance Services examines your risks,
measures their potential impact and recommends
appropriate coverage and strategies to manage
or mitigate the risks.
CBIZ Insurance Services
11
Four reasons you need cyber coverage:
01
02
03
04
INCREASINGLY STRINGENT LAWS AND
REGULATIONS – Failure to comply places your
operations and reputation at enormous risk.
TECHNOLOGICAL ADVANCES have made it
easier to store, transport, steal and lose sensitive
information.
OUTSOURCING – You bear the burden of any
privacy breach stemming from outsourced
operations such as entrusting outside contractors
to handle sensitive data.
USER ERROR – All too common exposure can
results from simply copying records to the wrong
file, revealing personal identification information
via batch email communications, forgetting the
shred confidential information.

Cyber can’t be a
“footnote” to
general P&C.
When an incident is suffered,
INSURANCE provides the bank
the funds to quickly respond and
recover.
Most carriers now exclude most
cyber risks from their P&C, Bond,
D&O and E&O policies.
Coverage may not even be offered
unless protections and protocols
are in place.
The first step in mitigation is comprehensive risk and policy review.
Cyber Risk Mitigation Program
Identify
Protect
Customize
Ensure
Review
IDENTIFY your cyber risk exposures and perform an in-
depth insurance policy review for proper coverages.
PROTECT your institution by working with insurance
advisors experienced in the Banking and Financial Services
sector.
ENSURE your cyber coverage includes cyber liability,
data breach, regulatory claims, social media and website
issues, cyber extortion, business interruption.
REVIEW your cyber risk exposures and insurance
coverages with your Insurance Program advisor.
CUSTOMIZE your coverage areas to include bank
buildings, property, crime bond (wire transfers, debit card
fraud), directors and officers insurance (board oversight
liability) and all-inclusive cyber coverage.

Bank insurance policies (particularly
Directors and Officers insurance and Cyber
insurance) are not standard.
Policy language and required procedures
imbedded within the policy can expose an
organization or individual to under-insured
or uninsured risk.
That’s why, as a first step, it’s critical to
assess your current coverage and compare
it with your analyzed risks.
You also want to make sure cyber, crime
bond and D&O policies work together, not in
opposition to each other.
Insurance Policy Review

Banking & Financial Services Quarterly
Hot Topics (e-newsletter)
Cyber Risk – No Longer Simply an “IT” Issue
(article)
Cyber Liability Insurance FAQ (article)
Biz Tips: Key Issues in Bank Insurance
Today (podcast)
How the CBIZ Bank Insurance Program Can
Help Your Business (videocast)
Insights & Resources
CBIZ Cyber Risk Management Expert: Effective
Solutions for Banks (article + podcast)

CASE STUDIES
15
Faulty Banking Scam
Email Breach
Online Banking
Data Breach
Data Breach – Board Litigation
Business Interruption
Ransomware

The Company used an international Supplier for weekly
material shipments that were released upon payment. A
request was received from Supplier to send payments to a
new bank. The request appeared standard because the
Supplier often changed banks.
Case Study:
Company Loses $400,000+ in Faulty Banking Scam
Issue
Hackers accessed the Supplier email system and learned
about the payment process. Posing as the Supplier, hackers
sent an email instructing the Company to send payments to
another bank. $400,000+ in Supplier payments were sent to
the wrong bank.
The Attack
Because the Company always paid, the Supplier continued to
release materials. Because the Company received material,
they did not realize the Supplier was not receiving their
payments. Hackers intercepted delinquent payment inquiry
emails from the Supplier to the Company.
Key Findings
Any information can be valuable in the wrong hands. Internal
controls are essential to effective operations. DO NOT rely on
email alone to communicate with your key vendors.
Lessons Learned

Company relied on commonly used email system.
Cybersecurity and social engineering training and awareness
programs were not in place.
Case Study:
Email Breach Provides Access to Payroll and PII Data
Issue
Hackers bypassed network security and compromised the
corporate email server. The hackers gained access to an
email containing an attached payroll file.
The Attack
The hackers setup specific rules to forward emails meeting
certain criteria to an external email address. Emails were still
being received by the intended recipient so neither the
sending parties nor receiving parties had any knowledge of
the interception.
Key Findings
Data and intellectual property are NOT always the hacker’s
target. A current, actionable and efficient incident response
plan is critical to responding to a breach. TEST
REGULARLY! Internal controls are essential to effective
operations.
Lessons Learned

 Bank provides clients with
documentable training and
training materials.
 Encourage the client to require
two people to initiate a transfer.
 Encourage the client to set a daily
limit.
 Bank implements dual factor
authentication.
 Bank requires call back prior to
initiating transfer over.
 Make sure that Computer Crime
is included in the bond and that it
includes any theft where the Bank
is held liable.
 Procedure should require a
banker to call back the customer
at a preassigned phone number
prior to initiating a transfer over
$25,000.
Attackers stole the username and
password to a client's online bank
account and used the credentials to
transfer $440,000 to an account in
Cyprus. Client alleges that the bank
failed to implement commercially
reasonable security measures as
defined in the Funds Transfer Act
provisions of the UCC.
Issue –
Stolen User Name
and Password
Prevention –
Best Practices Insurance
Case Study: Online Banking

Case Study:
Data Breach via Theft or Loss of Devices/Media
Ensure proper physical security of electronic and
physical restricted data:
 Lock down workstations and laptops
 Secure work area, files, laptops and portable equipment
before leaving
 Shred sensitive paper records
 Don’t leave sensitive information lying around unprotected
(on printers, fax machines) or visible (computer, electronic
devises, car or home)
 Use security measures for portable devices and laptops,
both encryption and physical security
 Delete personal identity information and other restricted
data when it is no longer needed
 Be prepared with a data breach disaster plan
 Provide employee training
 Audit regularly to test your plan and program
 Implement software to remotely wipe data on mobile
devices
 Conduct regular vulnerability risk assessment
 Vet any vendor that has access to data
 A cyber liability policy will typically provide coverage for
the costs associated with a breach as well as associated
lawsuits.
 The bank’s property policy will provide coverage for the
theft of the physical equipment.
 Recommendations:
o Consider a cyber liability policy that includes Data
Breach services and not solely a coverage limit
o Make sure the cyber liability policy includes coverage
for lost data by a bank vender
o Check the cyber liability policy for procedure
requirements to maintain coverage
o Make sure that the loss of paper personal data is
covered in addition to electronic data
o Make sure that both intentional and accidental breaches
of data are covered
InsurancePrevention Practices

Case Study:
Data Breach – Board Litigation
 Add Cybersecurity Briefing as a regular board agenda
item.
 Provide Cyber Risk education and training for Officers and
Directors.
 Create a record of the Board’s involvement in cyber risk
management and training.
 The board should understand related regulations,
including the state data breach notification laws.
 Board should annually approve the Cyber Risk
Management Plan.
 Most Directors and Officers (D&O) policies cover litigation
against directors and officers relating to breach of cyber
fiduciary duties.
 Because of the increased frequency of events and growing
cost of cyber incidents, some carriers are starting to
exclude this coverage. Verify that the D&O policy does not
exclude litigation relating to a data breach.
 Some Cyber Liability policies include coverage for
Directors and Officers relating to breach of cyber fiduciary
duties.
InsurancePrevention Practices
Recent high profile attacks on big name brands have triggered law suits naming individual Directors. Shareholders,
customers and vendors are pursuing legal recourse against executives for breaching the fiduciary duty to manage
cyber risk.

 Create a formal program – Begin by
capturing all systems used by the
organization based on their functions,
processes and the data they store.
 Document risk management program that
addresses the scope, roles,
responsibilities, compliance criteria and
methodology for performing cyber risk
assessments.
 Include employee education and limit
employee access and authority to an as-
needed basis.
 Integrate your Incident Response Plans
with Business Continuity / Disaster
Recovery Plans.
 Train and test everyone on their role and
responsibilities in Incident Response,
Business Continuity and Disaster
Recovery.
Proper coverage will include lost
income due to the event:
 Profits that would have been
earned had the event not
occurred
 Operating expenses, such as
utilities, that must be paid even
though business temporarily
ceased
 Rented or leased equipment
Hackers are exploiting flaws in computer
systems, crippling the performance of
normal business operations. The attacks
include malicious code and denial of
service that may make your website,
applications and processes unusable to
employees and customers alike.
Viruses, worms or other code may
delete critical information on hard drives
and other hardware. Further, financial
institutions can suffer business
interruption from third-party vendors
upon whom they rely to perform daily
business.
Issue –
Hackers Exploit Flaws
Prevention –
Case Study: Business Interruption

 Frequent backups of data.
 Employee training regarding clicking
links or opening documents.
 Consider network segmentation to
minimize the spread of ransomware
should your organization become
infected.
 Extortion coverage is an option in
most cyber policies. Since these
demands tend to be relatively
modest amounts, the deductible
should be watched. Some Kidnap
and Ransom coverage includes
Electronic Extortion.
 The carrier needs to agree before
a ransom is paid.
 Do not disclose that you have
insurance.
Hackers access a computer system,
often using a phishing scam that
tricks employees into opening a
document or clicking on a bad link,
which then infects the system with
malicious software that uses
encryption algorithms to lock up the
data.
In order to regain access to their
encrypted files, companies must pay
ransom. “If you don’t pay the
$20,000 ransom within 72 hours,
your data will be gone forever.”
Issue –
Phishing Scam
Prevention –
Case Study: Ransomware

Crown Castle initially engaged CBIZ to classify our data and create a risk
taxonomy before beginning red team exercises. The collaboration with our
staff and reporting of real-time results throughout the duration of our
engagement has allowed Crown Castle to recognize the benefits of these
services immediately. Their best practice recommendations and hands-on
approach has helped our company strengthen its security infrastructure.
Tom Keaton
Internal Audit Manager
Crown Castle International
Client Feedback

CBIZ CYBER TEAM
Serving Financial Institutions
Practice Leaders:
 Chris Roach
Managing Director & National IT Leader
 Kris St. Martin
Vice President & Bank Program Director

CBIZ Cyber Team for Financial Institutions
KRIS ST. MARTIN
Vice President and
Bank Program Director
Kris has more than 23 years of direct bank
experience in audit, procedures, IT security,
lending and board training. Kris has held many
positions in the banking industry in security,
including Senior Lending Officer, President,
CEO and Board Chair. Kris has been providing
risk mitigation services to the financial industry
since 2009 including cyber, directors & officers
and crime bond insurance.
763.549.2267 | kstmartin@cbiz.com
CHRIS ROACH
Managing Director and
National IT Practice Leader
Chris has extensive experience in information
technology, risk management, business
management and using technology to mitigate
business risks. He consults for both public and
privately held companies. Chris holds
certifications as Certified Information Security
Manager (CISM) and Certified in Risk and
Information Systems Controls (CRISC). He is a
former IT Risk Partner at KPMG.
713.871.1118 | croach@cbiz.com
Practice Leaders

CBIZ Cyber Team for Financial Institutions
W. REMONDE BRANGMAN
Practice Leader
Vendor Risk Management
Remonde has more than 35 years experience in
governance, risk management, internal audit,
ISO 31000, ISO 27000 (information security
management), vendor risk, fraud investigation
and forensic accounting. Remonde is a former
chief audit executive of a $10 Billion Global
Bank. He has served Fortune 100 companies as
well as local, state, federal and foreign
government entities.
240.396.1063 | rbrangman@cbiz.com
DAMIAN CARACCIOLO
Vice President
Executive Protection Practice
Damian has more than 25 years experience in
executive and business management liability lines,
including cyber liability (network security and
privacy), commercial crime and kidnap, ransom
and extortion. Damian has held several
management positions with a Fortune 500
company. In addition, his broad background brings
expertise in International Risks, Labor
Organization, Commercial and Construction Surety
bonding.
443.472.8096 | dcaracciolo@cbiz.com
Subject Matter Experts

CBIZ Banking & Financial Services
Newsletter Executive Committee
KRIS ST. MARTIN – Vice President, Bank Program
Director, CBIZ Insurance Services
CHRIS ROACH – Managing Director and National
IT Practice Leader, CBIZ Risk & Advisory Services
W. REMONDE BRANGMAN – Director and
National Practice Leader, Vendor Risk Management,
JAKE McDONALD – Senior Manager, Credit Risk
Advisory, CBIZ MHM, LLC
TODD GORDON – Vice President of Sales, CBIZ
Benefits & Insurance
JAY MESCHKE – President, EFL Associates &
CBIZ Human Capital Service
KEVIN NUSSBAUM – Vice President of Client
Development, CBIZ, Inc.
Check out the issue archive online.
Four to Six
interesting articles
each issue.

Kris St.
Martin
CBIZ Bank
Insurance
Chris
Roach
CBIZ Risk
& Advisory
Remonde
Brangman
Vendor
Risk
Damian
Caracciolo
Executive
Risk
28
Our cyber risk team will be happy to
take your call or respond to your
email.
Feel free to contact our Practice Leaders
with any questions you may have.
To learn more about CBIZ, we invite you
to visit www.cbiz.com.
Questions
Connect with us
on LinkedIn

Cybersecurity Risk Management for Financial Institutions

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Cybersecurity Risk Management for Financial Institutions

Similar to Cybersecurity Risk Management for Financial Institutions (20)

Recently uploaded

Recently uploaded (20)

Cybersecurity Risk Management for Financial Institutions