Cyber Insurance Expert Santho Mohapeloa, AGCS
Analysis of $1bn worth of insurance industry claims shows that cyber incidents are the top cause of loss for financial services companies over the past five years and the cyber risk landscape isn’t going to get any easier moving forward. The sector faces a wide range of challenges ranging from Covid to compliance to the cloud, to name just a few, as a new report from Allianz Global Corporate & Specialty (AGCS) highlights.
Cyber security experts warned of a perfect storm for financial institutions as Covid-19 led to a rapid and largely unplanned increase in homeworking and electronic trading and this duly materialized. Attacks against the financial sector were reported to have increased by well over 200% globally from the beginning of February 2020 to the end of April 2020, with some 80% of financial institutions reporting an increase in cyber-attacks, according to security firm VMware. Weaker controls and oversight, laxer security in the home office and the greater likelihood of employees falling victim to scams while working remotely were just some of the reasons cited behind this dramatic rise.
Recent months have also seen a number of major global cyber-attacks that have impacted the financial services sector. In December 2020, the Orion system of information technology firm SolarWinds was compromised, affecting about 18,000 customers. In March 2021, attacks saw vulnerabilities in Microsoft Exchange servers being exploited to allow malicious code to be placed on them which could be used for ransomware, espionage or even misdirecting the system’s resources to mine for cryptocurrency on behalf of criminals.
The fact that financial services companies typically feature in the top five sectors for severity and frequency of cyber-attacks is unsurprising. These companies hold a lot of sensitive data on individuals, businesses and governments. At the end of the day, it is where the money is.
Cyber is an existential issue for financial institutions, which is why they invest heavily in cyber security. However, with such potentially high rewards, cyber criminals will also invest time and money into attacking them. **For example, the Carbanak and Cobalt malware campaigns targeted over 100 financial institutions in more than 40 countries over a five year period, stealing over $1bn.
Regulators get tougher
At a time when financial institutions are becoming more reliant on technology and data to provide products and services to customers, they increasingly face a challenging regulatory environment. In many parts of the world, firms face a growing bank of regulation, including evolving data protection and privacy rules, as well as cyber security requirements.
In particular, there has been a seismic shift in the regulatory view of privacy and cyber security. Where regulators previously looked to incentivize firms to invest in cyber security, they now see it through the lens of consumer rights and data privacy. With the General Data Protection Regulations (GDPR) in Europe and the Protection of Personal Information Act (POPIA) in South Africa, companies now need to operationalize their response to regulation and privacy rights, not just look at cyber security.
The consequences of data breaches are far-reaching, with more aggressive enforcement, higher fines and regulatory costs, and growing third party liability. Under the GDPR, the number and value of fines for data and privacy has been growing while jurisdictions around the world have been introducing stricter data laws. Increasingly, breaches and regulatory actions are followed by litigation. A data breach at Capital One bank in 2019 – one of the largest-ever – resulted in an $80mn fine and a number of lawsuits by affected customers.
Ransomware attacks on the rise
Ransomware attacks continue to increase in frequency and severity, with ever larger ransom demands. Ransomware attacks were up nine fold between February and end of April 2020, according to VMware.
A recent development has seen hackers steal sensitive data and threaten to publish it online if ransoms are not paid. US lender Flagstar Bank, for example, suffered a ransomware attack in early 2020 that saw hackers post personal details online in an attempt to extort money.
“Fake presidents” and ATM “Jackpotting”
With many employees working from home and under increased stress, Covid-19 has created opportunities for cyber criminals to carry out various scams and cyber-attacks. The US Federal Bureau of Investigation (FBI) received over 28,500 complaints related to Covid-19 cyber-crime alone in 2020. Business email compromise (BEC) attacks, also known as “fake president” attacks, are a particular problem for financial institutions that make large numbers of high value payments on behalf of their customers. The cost of BEC attacks reached $1.86bn in 2020, accounting for almost half of all reported cybercrime losses.
Third party service providers can be the weak link in the cyber security chain
One of the largest and most sophisticated cyber-attacks of the past year, the SolarWinds incident, was a supply chain attack. Hackers accessed SolarWinds’ network and injected malware into its management software in order to target thousands of organizations, including banks and agencies. The SolarWinds breach is an important reminder of the potential vulnerabilities of the financial services sector to cyber-attacks and outages via their reliance on third-party suppliers and service providers, over which they have little or no control when it comes to cyber security.
Most financial institutions are now making use of cloud services-run software to access additional processing capacity, as well as for IT infrastructure or to carry out certain processes, such as fraud detection or analytics. On the one hand, cloud providers are developing tools to help organizations manage and mitigate their cyber risks, yet a growing reliance on a relatively small number of cloud providers, and an opaque cloud infrastructure, is creating potentially large and systemic risks.
How financial institutions manage risks presented by the cloud will be critical going forward. They are effectively offloading a significant portion of cyber security responsibilities to a third-party environment. Your cloud service vendors can become your exposure.
Risk mitigation best practice
Cyber-attacks often include a human element, where employees, contractors or even customers are unwittingly complicit in incidents. When talking to clients, they say cyber is the number one concern of every C-suite executive. In particular we see growing concern for the human factor. Just one click on a link or a download can lead to a costly ransomware attack or a data breach, with reputational damage and loss of data.
Training and technology can help minimize human error. Employees are the first line of security and defense. The human factor can make or break an organization’s cyber security position, and often its reputation. Those that are well trained can significantly reduce the impact of a breach or even prevent it from happening. Employees should be regarded as part of the cyber security team, and, as such, there should be a corresponding investment in their training and education. The same applies to top management, who should periodically rehearse scenarios in order to prepare and respond to a major cyber incident – building resilience and business continuity planning is absolutely key to reducing the impact. Cyber security goes right up the chain.
Companies should consider taking the opportunity to carry out a desktop exercise with their insurer and broker, and include key internal and external stakeholders. This builds trust and can take the sting out of any crisis.