Cyber compromises continue to rise globally, adversely impacting banking and financial services (BFS) institutions.
Cyber compromises are not only resulting in huge legal penalties for financial enterprises, but also derailing their efforts of recovery and rebound from the COVID-19 pandemic. There is great emphasis on strengthening cyber resilience among banks and financial institutions.
From an organizational standpoint, cyber resilience has heavily focused on infrastructure and monitoring enablement. These traditional fortification mechanisms, however, are unable to provide the necessary cover to business lines with wide and varied operating canvasses, which makes them prone to breaches.
Despite cybersecurity measures in place, this gap highlights the need for provisioning cyber insurance for the various business lines in both banks and firms across the financial services ecosystem, such as mortgage and settlement providers. This white paper emphasizes the need for banks and financial institutions to have a comprehensive cyber insurance strategy for managing cyberattacks. This will ensure business continuity and operational resilience.
CYBER INSURANCE: AN IMPERATIVE FOR THE FINANCIAL SERVICES INDUSTRY
Banks and financial services firms have wide operating canvasses ranging from retail and corporate banking to mortgage and settlement services and forex and insurance services.
The value chain almost always comprises multiple vendors, applications, and heterogeneous environments for providing a range of customer services. In this scenario, to minimize cyber exposure and maintain a pre-incident state, cyber insurance must cover expenses from the time of the incident to the full recovery of the business. This exercise must be carried out by the chief information officer (CIO) or the chief risk officer (CRO). While there are some products in the market, most CIOs and CROs see deficiencies in their construct. Thus arises the need to understand the multiple business dimensions that warrant attention in arriving at a workable and feasible cyber insurance strategy from the CIO or CRO perspective.
For any line of business, the major components of cyber insurance range from maintaining core backend processing systems to real-time settlement systems and customer-connect systems. The infrastructure and applications that enable the ecosystem also constitute the consideration envelope.
THE KEY TENETS OF A CYBER INSURANCE STRATEGY
Several major components, each with its own unique business proposition and flavor, form a part of the cyber insurance requirements.
Strengthen core processing
Treasury services process large volumes of data, including customer, banks’ internal, counterparty datasets, and business-generated metadata. Keeping this activity off cyberattacks is a key business requirement. An unfortunate cyber incident could cause downtimes in the processing facility or data and information theft. The CIO or CRO, who is responsible for information security, will need financial insurance coverage. The insurance requirements in this space will need to include coverage for losses incurred for all the stakeholders (originator or customer, processor or bank, and consumer) of the data and information. The organization loses revenue and reputation from service disruption and breach of SLA commitment with counterparties, customers, and internal teams serviced by the treasury department. Loss of revenue from the change in trade values stemming from market drifts needs adequate cover too. Compromise of data privacy, gauging the volume and impact of identity theft, and unauthorized transactions also need consideration. The cyber exposure will result in possible theft of data and fraud, which in turn will cause legal liability and loss of business opportunity. All the above are vital to deciding the insurance cover.
The various dimensions that need to be assessed while designing a cyber insurance policy and arriving at cyber exposure in financial terms (in terms of fixed million USD) may appear unsurmountable on the surface to qualify and quantify. Gauging the relevance and monetary value of these dimensions demands a systematic approach, which involves understanding the ecosystem of the operating canvas, including people, process, and technology components. A qualitative flavor stems from factoring in implemented arrangements on infrastructure and applications for securing the business from cyber risks and aligning agreed-upon risk appetite with organizational mandates and the existing cybersecurity monitoring and mitigation techniques. Costs in maintaining agreeable levels of SLA, volume throughput of processing power in the treasury management system, and duration of the breach should help quantify the loss that will need cyber insurance cover. Data breach liabilities impacting the privacy of the lost information, along with possible cascading fraud scenarios from third-party services need to be assessed. Further, industry practices demand insurance cover in maintaining the pre-breach cyber posture.
Fortify real-time settlement systems
Despite provisioning for fallback mechanisms in business processes and infrastructure availability to achieve operational resilience during cyberattacks, real-time settlement systems attract legal penalties when there is a disruption to the service due to cyberattacks. The settlement services are time-driven, where a cyber compromise could lead to loss of data until discovered and isolated. The loss of data will cascade to data privacy breaches and contractual breaches.
Like in the case of backend core processing systems, insurance needs in this scenario will also be determined by the fallback mechanisms established for real-time systems aligned with compliance requirements. Counterparty systems play an important role in the banking and financial services industry. Any vendor arrangement and its implications in the settlement process need to be validated for the assessment of cyber exposure possibilities. With the current business model of all outsourced activities, this ecosystem must be systematically evaluated for a trust score and the risk appetite, to define the cyber insurance component.
Minimize downtime on customer services
With last-mile connectivity (in both web- and mobile-based services) being heterogenous, cyber breaches also carry the risk of bringing malware into internal systems. Most often, the risk exposure is not easily determined. The common practice is to enable graded security for various customer bases, exposed systems, and customer services.
The approach to addressing the cyber insurance needs of the CIO or CRO for customer services is driven by various factors such as the security of the internal systems and the volume and value of transactions allowed in a particular time period (exposure limiting). Examining business workflows and the level of automation across information searching, transaction-committing mechanisms such as batch processing or real-time processing, and decision support systems can help determine exposure factors.
Assess opportunity loss
Calculating the opportunity loss due to cyber exposure is not an easy task. While the exposure and its fallout comprise the downtime, the line of business and its level of monitoring and maintenance activities will determine the exposure impact.
Statistical measures of transactions in number and value, period of compromise, and measure of dynamic market opportunity, legal and reputation loss could provide a true reflection of this component. As a reflection of the ‘future’ business, the opportunity needs justifiable consideration aligned to appetite and strategy.
Account for compliance-driven legal liabilities
In the highly regulated domains of banking and financial services, service disruption due to cyber breaches could become a nightmare for CIOs or CROs. These incidents result in identity theft and unauthorized transactions leading to fraud. Disruptions causing data theft and hurting the privacy of individuals and enterprises attract huge legal liabilities.
For a given line of business, such as credit provisioning (commercial banking or retail banking), a realistic estimation of legal liability requires a clear understanding of the nature and value of the information and business-specific geography-focused legislation. Post-breach, recovery, and compensatory arrangements must be factored in. The compliance requirements will generally provide a handle on arriving at these measures. In case of non-availability of such guidance, industry incident and recovery information could come in handy. Making use of cross-industry data points will enable reasonable estimates of exposure measurement.