Cybersecurity Risk Management for Financial Institutions

RISK CONSULTING AND INSURANCE SERVICES

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 2

Cyber and Data Risks for Financial Institutions

“The persistent threat of internet attacks is a societal issue facing all industries, especially the Financial Services industry.

Once largely considered an IT problem, the rise in frequency and sophistication of cyber-attacks now requires a shift in thinking on the part of Bank CEOs that management of a Bank’s Cybersecurity Risk is not simply an IT issue, but a CEO and Board of Directors issue.” SOURCE: Conference of State Bank Supervisors

Cybersecurity 101 Resource Guide

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS

Why is cyber risk a top concern?

3

Cyber crime is exploding. Regulatory compliance, stakeholder concerns, liability, litigation, business interruption, reputation . . .

there’s a lot to manage and a lot at stake.

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS

Cyber and Data Risks for Financial Institutions

4

In 2016, 88% of security attacks in the finance industry fell into three categories:

48% Web Application Attacks (14% in 2014)

Hackers find and exploit application vulnerabilities, often content management systems (CMS) or e-commerce platforms.

34% Denial-of-Service (32% in 2014)

A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users. Ransomware falls in this category.

6% Crimeware (not ranked in 2014)

Use of a physical “skimmer” on an ATM, point-of-sale (POS) terminal or gas pump to read the data on your card’s magnetic strip as you pay.

SOURCE: Verizon 2016 Data Breach Investigations Report - Financial Services

All In

dustr

ies

Finan

cial S

ervic

es

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS

Data Breach in Dollars

Cost (US companies):

$7.01M = average total cost of a data breach

$221 = average cost paid per compromised (lost or stolen) record*

29,611 = the average number of breached records per incident

$3.97M = cost of lost business ($3.72 in 2015)

5

Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC) metrics: $5.83M when MTTI < 100 days

$8.01M when MTTI > 100 days

$5.24M when MTTC < 30 days

$8.85M when MTTC > 30 days

SOURCE: IBM Global Technology Services – Special Report from Ponemon Institute, LLC – 2016 Cost of Data

Breach Study: Global Analysis *“Record” = Information that identifies the natural person (individual) whose information has been lost or stolen in a data breach

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 6

Cyber risk is clear. The question is, what is the best approach for your institution?

We recommend a holistic approach to risk – one that identifies vulnerability, establishes internal controls, implements IT barriers, mitigates the risk with a cyber-specific insurance program, and includes a recovery plan.

CBIZ Cyber Service Teams include financial, risk, IT and insurance professionals who work with clients from multiple perspectives to develop a comprehensive protection plan customized to your industry compliance requirements and your organizational needs.

A HOLISTIC approach includes Cyber Risk Management (CBIZ Financial

Risk & Advisory Consulting) and Cyber Risk Mitigation (CBIZ Bank Insurance Program).

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 7

Cyber Risk Management CBIZ Risk & Advisory Services

Business risks abound in today's world. The rise of sophisticated data breaches coupled with the increased demands on organizational leaders make robust risk management policies essential.

CBIZ Risk & Advisory experts work closely with you to understand the full scale of your cyber risk, starting with your industry’s unique risk factors and working down to the specific security policies you have in place.

CBIZ can help you design or improve existing documented policies, procedures and controls and can review existing device configurations.

CBIZ risk consulting assesses and manages the full spectrum of cyber risk. For example: Security Program Review / Development /

Remediation Infrastructure Design / Assessment / Remediation Penetration Testing Vulnerability Assessments Web Application / Web Services Assessments Mobile Application Assessments Social Engineering and Facility Breach Exercises IT Risk Assessments / IT Audit and Compliance

Engagements Incident Response Digital Forensics / Litigation Support Service Organization Control (SOC) Reporting

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 8

The best defense is a good offense.

Having a proactive, robust plan in place can help minimize the potential damage from a breach and get your organization back on track more quickly in the wake of a disruptive event.

The first step is assessment.

Keys to Cyber Risk Management CBIZ Risk & Advisory Services

Identify

Protect

Detect

Respond

Recover

IDENTIFY internal and external cyber risks – Risk Assessment to identify threats/vulnerabilities, measure/communicate risk.

PROTECT organizational systems, assets and data – Internal Controls, Staff Training, Data Security, Insurance.

RESPOND to a potential cybersecurity event –Have a structure in place and routinely audit the Incident Response Plan.

RECOVER from a cybersecurity event by restoring normal operations and services – Disaster recovery can be built into insurance coverage

DETECT system intrusions, data breaches and unauthorized access – System Monitoring reinforces Protection.

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS

Important first step: Help your organization quickly assess how prepared you are to face cyber crime

12 Yes/No Questions

Rankings: 1. Beginner 2. Intermediate 3. Advanced 4. Proficient

If an organization ranks Beginner or Intermediate, a more in-depth evaluation is recommended.

9

Quick Preparedness Assessment CBIZ Risk & Advisory Services

Click for downloadable copy

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 10

Cyber Risk Management CBIZ Risk & Advisory Services

The Risk Advisor - Volume 4 (newsletter)

Lessons Learned from Cyber Incidents in 2016 (article)

3 Strategies to Reduce the Risk of Cyber-Attacks (article)

Three questions every board should ask about enterprise risks (blog)

Insights & Resources

7 Ways to Strengthen Cybersecurity: Questions to Ask About Third-Party Providers (article)

Why Would an Accounting Firm Go Diving in Your Bank’s Trash Dumpster? (podcast)

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS

As cyber threats have grown in scope and impact, cyber insurance has become a key feature of an enterprise-wide cyber risk management strategy.

Risk transfer through cyber insurance bolsters customer and business partner confidence and supports industry expectations that a cyber risk strategy is implemented.

CBIZ Insurance Services examines your risks, measures their potential impact and recommends appropriate coverage and strategies to manage or mitigate the risks.

Cyber Risk Mitigation CBIZ Insurance Services

11

Four reasons you need cyber coverage:

01 02 03 04

INCREASINGLY STRINGENT LAWS AND REGULATIONS – Failure to comply places your operations and reputation at enormous risk.

TECHNOLOGICAL ADVANCES have made it easier to store, transport, steal and lose sensitive information.

OUTSOURCING – You bear the burden of any privacy breach stemming from outsourced operations such as entrusting outside contractors to handle sensitive data.

USER ERROR – All too common exposure can results from simply copying records to the wrong file, revealing personal identification information via batch email communications, forgetting the shred confidential information.

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 12

Cyber can’t be a “footnote” to general P&C. When an incident is suffered, INSURANCE provides the bank the funds to quickly respond and recover.

Most carriers now exclude most cyber risks from their P&C, Bond, D&O and E&O policies.

Coverage may not even be offered unless protections and protocols are in place.

The first step in mitigation is comprehensive risk and policy review.

Cyber Risk Mitigation Program CBIZ Insurance Services

Identify

Protect

Customize

Ensure

Review

IDENTIFY your cyber risk exposures and perform an in-depth insurance policy review for proper coverages.

PROTECT your institution by working with insurance advisors experienced in the Banking and Financial Services sector.

ENSURE your cyber coverage includes cyber liability, data breach, regulatory claims, social media and website issues, cyber extortion, business interruption.

REVIEW your cyber risk exposures and insurance coverages with your Insurance Program advisor.

CUSTOMIZE your coverage areas to include bank buildings, property, crime bond (wire transfers, debit card fraud), directors and officers insurance (board oversight liability) and all-inclusive cyber coverage.

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 13

Bank insurance policies (particularly Directors and Officers insurance and Cyber insurance) are not standard.

Policy language and required procedures imbedded within the policy can expose an organization or individual to under-insured or uninsured risk.

That’s why, as a first step, it’s critical to assess your current coverage and compare it with your analyzed risks.

You also want to make sure cyber, crime bond and D&O policies work together, not in opposition to each other.

Insurance Policy Review CBIZ Insurance Services

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 14

Banking & Financial Services Quarterly Hot Topics (e-newsletter)

Cyber Risk – No Longer Simply an “IT” Issue (article)

Cyber Liability Insurance FAQ (article)

Biz Tips: Key Issues in Bank Insurance Today (podcast)

How the CBIZ Bank Insurance Program Can Help Your Business (videocast)

Cyber Risk Mitigation CBIZ Insurance Services

Insights & Resources

CBIZ Cyber Risk Management Expert: Effective Solutions for Banks (article + podcast)

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS

CASE STUDIES

15

Faulty Banking Scam Email Breach Online Banking Data Breach Data Breach – Board Litigation Business Interruption Ransomware

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 16

The Company used an international Supplier for weekly material shipments that were released upon payment. A request was received from Supplier to send payments to a new bank. The request appeared standard because the Supplier often changed banks.

Case Study: Company Loses $400,000+ in Faulty Banking Scam

Issue

Hackers accessed the Supplier email system and learned about the payment process. Posing as the Supplier, hackers sent an email instructing the Company to send payments to another bank. $400,000+ in Supplier payments were sent to the wrong bank.

The Attack

Because the Company always paid, the Supplier continued to release materials. Because the Company received material, they did not realize the Supplier was not receiving their payments. Hackers intercepted delinquent payment inquiry emails from the Supplier to the Company.

Key Findings

Any information can be valuable in the wrong hands. Internal controls are essential to effective operations. DO NOT rely on email alone to communicate with your key vendors.

Lessons Learned

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 17

Company relied on commonly used email system. Cybersecurity and social engineering training and awareness programs were not in place.

Case Study: Email Breach Provides Access to Payroll and PII Data

Issue

Hackers bypassed network security and compromised the corporate email server. The hackers gained access to an email containing an attached payroll file.

The Attack

The hackers setup specific rules to forward emails meeting certain criteria to an external email address. Emails were still being received by the intended recipient so neither the sending parties nor receiving parties had any knowledge of the interception.

Key Findings

Data and intellectual property are NOT always the hacker’s target. A current, actionable and efficient incident response plan is critical to responding to a breach. TEST REGULARLY! Internal controls are essential to effective operations.

Lessons Learned

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 18

Bank provides clients with documentable training and training materials.

Encourage the client to require two people to initiate a transfer.

Encourage the client to set a daily limit.

Bank implements dual factor authentication.

Bank requires call back prior to initiating transfer over.

Make sure that Computer Crime is included in the bond and that it includes any theft where the Bank is held liable.

Procedure should require a banker to call back the customer at a preassigned phone number prior to initiating a transfer over $25,000.

Attackers stole the username and password to a client's online bank account and used the credentials to transfer $440,000 to an account in Cyprus. Client alleges that the bank failed to implement commercially reasonable security measures as defined in the Funds Transfer Act provisions of the UCC.

Issue – Stolen User Name and Password

Prevention – Best Practices Insurance

Case Study: Online Banking

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 19

Case Study: Data Breach via Theft or Loss of Devices/Media

Ensure proper physical security of electronic and physical restricted data:

Lock down workstations and laptops Secure work area, files, laptops and portable equipment

before leaving Shred sensitive paper records Don’t leave sensitive information lying around unprotected

(on printers, fax machines) or visible (computer, electronic devises, car or home)

Use security measures for portable devices and laptops, both encryption and physical security

Delete personal identity information and other restricted data when it is no longer needed

Be prepared with a data breach disaster plan Provide employee training Audit regularly to test your plan and program Implement software to remotely wipe data on mobile

devices Conduct regular vulnerability risk assessment Vet any vendor that has access to data

A cyber liability policy will typically provide coverage for the costs associated with a breach as well as associated lawsuits.

The bank’s property policy will provide coverage for the theft of the physical equipment.

Recommendations:

o Consider a cyber liability policy that includes Data Breach services and not solely a coverage limit

o Make sure the cyber liability policy includes coverage for lost data by a bank vender

o Check the cyber liability policy for procedure requirements to maintain coverage

o Make sure that the loss of paper personal data is covered in addition to electronic data

o Make sure that both intentional and accidental breaches of data are covered

Insurance Prevention Practices

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 20

Case Study: Data Breach – Board Litigation

Add Cybersecurity Briefing as a regular board agenda item.

Provide Cyber Risk education and training for Officers and Directors.

Create a record of the Board’s involvement in cyber risk management and training.

The board should understand related regulations, including the state data breach notification laws.

Board should annually approve the Cyber Risk Management Plan.

Most Directors and Officers (D&O) policies cover litigation against directors and officers relating to breach of cyber fiduciary duties.

Because of the increased frequency of events and growing cost of cyber incidents, some carriers are starting to exclude this coverage. Verify that the D&O policy does not exclude litigation relating to a data breach.

Some Cyber Liability policies include coverage for Directors and Officers relating to breach of cyber fiduciary duties.

Insurance Prevention Practices

Recent high profile attacks on big name brands have triggered law suits naming individual Directors. Shareholders, customers and vendors are pursuing legal recourse against executives for breaching the fiduciary duty to manage cyber risk.

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 21

Create a formal program – Begin by capturing all systems used by the organization based on their functions, processes and the data they store.

Document risk management program that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments.

Include employee education and limit employee access and authority to an as-needed basis.

Integrate your Incident Response Plans with Business Continuity / Disaster Recovery Plans.

Train and test everyone on their role and responsibilities in Incident Response, Business Continuity and Disaster Recovery.

Proper coverage will include lost income due to the event:

Profits that would have been earned had the event not occurred

Operating expenses, such as utilities, that must be paid even though business temporarily ceased

Rented or leased equipment

Hackers are exploiting flaws in computer systems, crippling the performance of normal business operations. The attacks include malicious code and denial of service that may make your website, applications and processes unusable to employees and customers alike.

Viruses, worms or other code may delete critical information on hard drives and other hardware. Further, financial institutions can suffer business interruption from third-party vendors upon whom they rely to perform daily business.

Issue – Hackers Exploit Flaws

Prevention – Best Practices Insurance

Case Study: Business Interruption

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 22

Frequent backups of data.

Employee training regarding clicking links or opening documents.

Consider network segmentation to minimize the spread of ransomware should your organization become infected.

Extortion coverage is an option in most cyber policies. Since these demands tend to be relatively modest amounts, the deductible should be watched. Some Kidnap and Ransom coverage includes Electronic Extortion.

The carrier needs to agree before a ransom is paid.

Do not disclose that you have insurance.

Hackers access a computer system, often using a phishing scam that tricks employees into opening a document or clicking on a bad link, which then infects the system with malicious software that uses encryption algorithms to lock up the data.

In order to regain access to their encrypted files, companies must pay ransom. “If you don’t pay the $20,000 ransom within 72 hours, your data will be gone forever.”

Issue – Phishing Scam

Prevention – Best Practices Insurance

Case Study: Ransomware

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 23

Crown Castle initially engaged CBIZ to classify our data and create a risk taxonomy before beginning red team exercises. The collaboration with our staff and reporting of real-time results throughout the duration of our engagement has allowed Crown Castle to recognize the benefits of these services immediately. Their best practice recommendations and hands-on approach has helped our company strengthen its security infrastructure.

Tom Keaton Internal Audit Manager Crown Castle International

Client Feedback

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 24

CBIZ CYBER TEAM Serving Financial Institutions Practice Leaders: Chris Roach

Managing Director & National IT Leader CBIZ Risk & Advisory Services

Kris St. Martin Vice President & Bank Program Director CBIZ Insurance Services

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 25

CBIZ Cyber Team for Financial Institutions

KRIS ST. MARTIN

Vice President and Bank Program Director CBIZ Insurance Services

Kris has more than 23 years of direct bank experience in audit, procedures, IT security, lending and board training. Kris has held many positions in the banking industry in security, including Senior Lending Officer, President, CEO and Board Chair. Kris has been providing risk mitigation services to the financial industry since 2009 including cyber, directors & officers and crime bond insurance.

763.549.2267 | kstmartin@cbiz.com

CHRIS ROACH

Managing Director and National IT Practice Leader CBIZ Risk & Advisory Services

Chris has extensive experience in information technology, risk management, business management and using technology to mitigate business risks. He consults for both public and privately held companies. Chris holds certifications as Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Controls (CRISC). He is a former IT Risk Partner at KPMG.

713.871.1118 | croach@cbiz.com

Practice Leaders

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 26

CBIZ Cyber Team for Financial Institutions

W. REMONDE BRANGMAN

Practice Leader Vendor Risk Management CBIZ Risk & Advisory Services

Remonde has more than 35 years experience in governance, risk management, internal audit, ISO 31000, ISO 27000 (information security management), vendor risk, fraud investigation and forensic accounting. Remonde is a former chief audit executive of a $10 Billion Global Bank. He has served Fortune 100 companies as well as local, state, federal and foreign government entities. 240.396.1063 | rbrangman@cbiz.com

DAMIAN CARACCIOLO

Vice President Executive Protection Practice CBIZ Insurance Services

Damian has more than 25 years experience in executive and business management liability lines, including cyber liability (network security and privacy), commercial crime and kidnap, ransom and extortion. Damian has held several management positions with a Fortune 500 company. In addition, his broad background brings expertise in International Risks, Labor Organization, Commercial and Construction Surety bonding. 443.472.8096 | dcaracciolo@cbiz.com

Subject Matter Experts

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS 27

CBIZ Banking & Financial Services Newsletter Executive Committee

KRIS ST. MARTIN – Vice President, Bank Program Director, CBIZ Insurance Services

CHRIS ROACH – Managing Director and National IT Practice Leader, CBIZ Risk & Advisory Services

W. REMONDE BRANGMAN – Director and National Practice Leader, Vendor Risk Management, CBIZ Risk & Advisory Services

JAKE McDONALD – Senior Manager, Credit Risk Advisory, CBIZ MHM, LLC

TODD GORDON – Vice President of Sales, CBIZ Benefits & Insurance

JAY MESCHKE – President, EFL Associates & CBIZ Human Capital Service

KEVIN NUSSBAUM – Vice President of Client Development, CBIZ, Inc.

Check out the issue archive online.

Four to Six interesting articles

each issue.

CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS

Kris St. Martin

CBIZ Bank Insurance

Chris Roach

CBIZ Risk & Advisory

Remonde Brangman

Vendor Risk

Damian Caracciolo Executive

Risk

28

Our cyber risk team will be happy to take your call or respond to your email. Feel free to contact our Practice Leaders with any questions you may have. To learn more about CBIZ, we invite you to visit www.cbiz.com.

Questions

Connect with us on LinkedIn