Abstract

Cyber compromises continue to rise globally, adversely impacting banking and financial services (BFS) institutions.

Cyber compromises are not only resulting in huge legal penalties for financial enterprises but also derailing their efforts to recover and rebound from the COVID-19 pandemic. There is great emphasis on strengthening cyber resilience among banks and financial institutions. 

From an organizational standpoint, cyber resilience has heavily focused on infrastructure and monitoring enablement. These traditional fortification mechanisms, however, are unable to provide the necessary cover to business lines with wide and varied operating canvasses, which makes them prone to breaches. 

Despite cybersecurity measures in place, this gap highlights the need for provisioning cyber insurance for the various business lines in both banks and firms across the financial services ecosystem, such as mortgage and settlement providers.

Read further to understand the need for banks and financial institutions to have a comprehensive cyber insurance strategy for managing cyberattacks. This will ensure business continuity and operational resilience.  

Cyber insurance: An imperative for the finance industry

Banks and financial services firms have wide operating canvasses ranging from retail and corporate banking to mortgage and settlement services and forex and insurance services.

The value chain almost always comprises multiple vendors, applications, and heterogeneous environments for providing a range of customer services. In this scenario, to minimize cyber exposure and maintain a pre-incident state, cyber insurance must cover expenses from the time of the incident to the full recovery of the business. This exercise must be carried out by the chief information officer (CIO) or the chief risk officer (CRO). While there are some products in the market, most CIOs and CROs see deficiencies in their construct. Thus arises the need to understand the multiple business dimensions that warrant attention in arriving at a workable and feasible cyber insurance strategy from the CIO or CRO perspective. 

For any line of business, the major components of cyber insurance range from maintaining core backend processing systems to real-time settlement systems and customer-connect systems. The infrastructure and applications that enable the ecosystem also constitute the consideration envelope. 

The key tenets of a cyber insurance strategy

Several major components, each with its own unique business proposition and flavor, form a part of the cyber insurance requirements.

• Strengthen core processing: Treasury services process large volumes of data, including customer, banks’ internal, counterparty datasets, and business-generated metadata. Keeping this activity off cyberattacks is a key business requirement.

• Fortify real-time settlement systems: Despite provisioning for fallback mechanisms in business processes and infrastructure availability to achieve operational resilience during cyberattacks, real-time settlement systems attract legal penalties.

• Minimize downtime on customer services: With last-mile connectivity (in both web- and mobile-based services) being heterogenous, cyber breaches also carry the risk of bringing malware into internal systems. Most often, the risk exposure is not easily determined. 

• Access opportunity loss: Calculating the opportunity loss due to cyber exposure is not an easy task. While the exposure and its fallout comprise the downtime, the line of business and its level of monitoring and maintenance activities will determine the exposure.

• Account for compliance-driven legal liabilities: In the highly regulated banking and financial services domain, service disruption due to cyber breaches could become a nightmare for CIOs or CROs. These incidents result in identity theft and unauthorized transactions leading to fraud.