The largest of banks employ nearly 500,000 people and spend millions of dollars every year to secure their networks. Despite these efforts, cybercriminals have stolen hundreds of thousands of records from financial services companies. In the end, the targeted organizations need to win all day, every day. Hackers only need to win once. It’s hardly a fair fight.
A dramatic win for the hackers made headlines in July 2019 as one of the largest U.S. banks fell victim. Over 100 million credit card applications, some including names, birthdates, Social Security numbers, bank account numbers, addresses, phone numbers and email addresses, were stolen. This type of event prompts many questions. Perhaps one of the most important questions for a company concerned that a similar attack might happen to them in the future: Can the costs be transferred to an insurance policy?
How It Happened
According to reports, the hack was perpetrated by a former Amazon Web Services systems engineer who was able to penetrate a misconfigured firewall on the bank’s cloud server. In response to the publicized attack, the cloud provider was quick to deflect blame, putting the onus on the bank for having the responsibility to set access controls to data stored in the cloud servers. As of the date of this writing, it is unknown whether the former employee used any proprietary cloud provider tools or other information to carry out the attack.
The ultimate costs of the attack may be difficult to accurately predict at this stage and will likely play out over several years. However, we can expect this event to have a significant impact on the bank’s bottom line, as costs will hit from many angles, including the following.
- Crisis management costs: Several external vendors were needed to assist in the investigation and remediation of the attack. Law firms, IT forensics investigators, credit monitoring services, public relations experts, notification and call centers, and other experts were likely engaged.
- Legal liability: With a hack of this magnitude, it should be expected that multiple parties will pursue legal action against the bank. Plaintiff attorneys representing the individuals affected may file class-action suits against the bank and its board of directors. Regulators may litigate and possibly fine the bank, citing noncompliance to state, federal and international privacy laws. They may also pursue financial services industry-specific data protection requirements at the state and federal level, including but not limited to the Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA) and the New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500). Derivative and securities class-action lawsuits may also follow.
- Business interruption and extra expenses: It is very possible that several key employees
abandoned their everyday jobs to deal with the incident, perhaps for several weeks and
months. This likely led to business interruption and lost revenue incurring unforeseen business expenses for the bank.
Transferring the Risk – Insurance
There may be multiple insurance policies that come into play following this type of event. While individual policy forms and endorsements could affect coverage in various ways, we would seek to focus insurance recovery on the following policies.
Fortunately, the bank stated that they did have $400 million in cyber insurance coverage, subject to a $10 million self-insured retention.¹ Assuming they purchased a comprehensive cyber insurance policy, they should be able to transfer a significant portion of the direct costs associated with the hack.
One of the greatest attributes of the value of a cyber policy comes in the form of data breach response experts who work on breach response matters all day, every day. Many can be deployed immediately. These include the following:
- Breach coaches: Some policies provide data breach hotlines—phone numbers where an insured can talk directly to a privacy attorney, also known as a breach coach. These attorneys specialize in breach response best practices and provide guidance related to legal obligations imposed by privacy law. Retaining the breach coach helps establish attorney- client privilege, which can aid in legal defense should future litigation arise.
- IT forensics investigators: These experts track the digital footprints of the hacker to determine when and how they accessed the network, what data they may have compromised, and whether the hacker is still in the system to help remediate the vulnerability. Ultimately, their findings will be evaluated by the breach coach to determine possible legal obligations.
- Credit monitoring services: Identity theft is a real possibility for individuals affected by a data breach. Credit monitoring, ID theft restoration services, ID theft insurance and dark web monitoring are some common services that could be provided and covered by a cyber insurance policy.
- Notification and call centers: Managing mandatory notification to millions of individuals, and subsequent calls from them, may require outsourcing to an external vendor.
- Public relations: Significant data breaches often get the attention of the media. It may be prudent to hire an expert to manage communications in order to mitigate reputational harm.
After the bank moves through the initial crisis, the cyber insurance policy may also be used to transfer some of the costs associated with privacy liability and regulatory risk. Litigation costs, settlements and regulatory fines (where permitted by law) can be covered.
Business interruption costs and extra expenses could also be covered. Business interruption costs are usually subject to an eight- to 12-hour waiting period, after which the policy may be triggered.
Directors & Officers Liability Insurance
Event-driven D&O claims are on the rise, defined by litigation following an adverse event occurring within an organization. A cyber event is a key example of the type of matter that can ultimately give rise to a D&O claim.
Taking into consideration the responsibilities of the board of directors, an adverse event often prompts scrutiny of these specific individuals and their actions (or inactions) relative to such an event. Allegations frequently focus on what the board did, or didn’t do, to protect the organization from a cyber attack. These claims can be costly, taking the form of a class action suit driven largely by the public visibility of a cyber event. In this particular case, among other litigation, the bank had a class-action suit filed against them following the data breach, alleging that the bank failed to take “reasonable care” to secure the sensitive personal information of their customers.
From an insurance perspective, companies want to include D&O in the consideration of which policies may come into play in conjunction with a cyber attack. Understanding the policy retention—that portion of risk retained by the company before the policy responds—is a critical factor in accounting for total cost of risk. Likewise, the possibility of a follow-on D&O claim to a cyber event may require companies to review total D&O limits purchased and ultimate program structure as well. In a given policy term, can the D&O program potentially be eroded by multiple claims, and if so, what limits may be adequate to both safeguard the balance sheet and assure protection to the directors and officers themselves? Lastly,careful review of actual coverage terms and policy language is critical to ensure no loopholes or gaps, so as to make certain that the program will be triggered when expected.
Technology Errors & Omissions Insurance
Vendor management is not only a best practice in cyber risk management. It is also a regulatory requirement for some financial services companies and is specifically called for in the NYSDFS cybersecurity regulation.
A comprehensive vendor management program should require certain vendors to carry technology errors and omissions insurance. This policy often covers a vendor for losses resulting from technology services, technology products, media content and network security data breaches.
In the bank’s case, and for many other organizations, it might have been difficult to require custom contractual insurance requirements with large cloud vendors. Cloud vendor contracts are notoriously inflexible, with terms working in favor of the cloud provider. Further, the facts of this case do not necessarily implicate the cloud provider as being at fault, which could theoretically lead to the cloud provider’s insurance company denying liability that might be alleged by the bank.
Looking Ahead: Rising Geopolitical Tensions
The Department of Homeland Security has warned the public that it expects Iran-based cyber threat actors to retaliate against the U.S. as a result of the recent U.S. assassination of Iranian general Qassem Soleimani. The DHS’ January 4, 2020, National Terrorism Advisory System bulletin states, “Iran maintains a robust cyber program and can execute cyberattacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”
The financial services sector, in particular, is now on alert given the recent history of attacks against the sector, which are widely believed to have emanated from Iran. It is alleged that Iran specifically attacked 3 major U.S. banks with Distributed Denial of Service attacks from late 2011 through 2013 as a direct response to US sanctions against Iran. Many believe Iran has also used “wiper” malware to attack the energy and hospitality sectors, including a devastating attack in 2012 that destroyed data from 30,000 computers.
In light of the heightened cyber risk environment for the financial services sector, it would be prudent to take several steps to prevent, mitigate and transfer the risk, including:
- Investing in the latest data encryption technology and data security tools, including anti- virus software and real-time intrusion detection systems.
- Having a backup set of data that is segregated from the primary data set and updated regularly.
- Tightening up processes by implementing multifactor authentication, conducting system patching on a regular basis, creating a formal password protection program and enforcing all privacy policies.
- Requiring employee training at all levels as part of cyber attack readiness.
- Putting an incident response (IR) team in place that includes all key stakeholders: chief information security officer, general counsel, risk manager, PR or marketing lead, COO, CFO and CEO. The IR plan should assign individual roles and responsibilities designed to respond to specific types of cyber attacks.
- Conduct tabletop exercises with your IR team at least once yearly to test preparedness.
Ultimately, there is no 100% guaranteed solution to prevent cyber attacks. However, the financial services industry can implement several strategies focused on its technology-based security controls, business processes and employee training to combat this ever-evolving threat.
Gallagher’s Financial Institutions practice and Cyber practice are poised to assist you in both the mitigation and management of these cyber-related risks with myriad resources in placing insurance, and managing claims and via our proprietary tools available to our clients. Contact us to learn more.