This content is provided by our sponsor, and neither is written by nor provides endorsement from ICBA.
How Community Banks Can Fight Cyber Crime
By Mark C. Tomlinson, Assistant Vice President, CNA Insurance – Financial Institutions
Community Banks and other financial institutions are potential targets for cyber-thieves and must be vigilant in protecting their customers’ personally identifiable information (“PII”). While most of the attention focuses on technology to prevent malicious and criminal attacks, steps also must be taken to guard against human errors, which may result in equally costly data breaches. For example, a supervisor may use a screenshot of the bank’s system during a presentation, forgetting to redact all customer information. Misdirected emails containing PII also may represent a breach without the sender’s knowledge of the misdirection. Similarly, a bank’s computer back-up tapes, which contain customer account information, may be lost or stolen during shipment to an off-site storage facility.
Given the mobility and sophistication of equipment used to operate a bank in today’s environment, it is imperative that each risk is assessed and a plan is put into place. Banking is a highly regulated industry, underscoring the importance of addressing these issues before a violation occurs. Violations of privacy laws or regulations also may result in lawsuits, expensive fines and reputational harm, many of which are preventable.
Potential for Liability
When a bank’s data is compromised and PII is accessed, the customer may have a legal claim for loss, unauthorized loss, use or disclosure of PII. Even modest size breaches may result in class action litigation. Lawsuits such as these are costly, regardless of whether or not a customer is ultimately successful.
The 2014 Ponemon Institute Cost of Data Breach study reported that the financial industry suffers from the fourth largest breach cost per capita, with a cost of $206 per record breached. Even if a lawsuit is not filed, significant expenses flow from a security breach. These expenses include hiring a public relations firm to manage negative publicity, lawyers to determine customer notification obligations, and IT consultants to establish whether customer information was actually accessed.
Currently, there is no comprehensive federal breach notification law in the United States. With the exception of Alabama, Kentucky, New Mexico and South Dakota, every state as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands has enacted legislation requiring notification of security breaches involving PII. Therefore, the state law of each affected customer’s current residence dictates a bank’s responsibilities in the event of a breach.
Most state statutes have provisions regarding the following:
- Definition of Personal Information
- Risk of Harm Analysis for Determining Notification Obligation. Some states require notification if there is a “reasonable likelihood that harm to the customers has or will result”, but do not require notification if the “breach does not materially compromise the security of the personal information.”
- Notifying the Attorney General or State Agency
- Notification within a Specific Time Period
- Safe Harbor Provision: In most states, notification is not required if the lost or stolen data was encrypted.
Take Steps to Help Prevent & Mitigate Loss
- Community banks can mitigate their exposure to losses from “low tech” security breaches by taking the following recommended steps to safeguard electronic data:
- Evaluate the need for storage of customers’ PII on any type of portable device, as the risks may outweigh the benefit.
- Require a username and password for accessing all devices.
- Establish a mobility policy whereby employees agree to report, lock and/or wipe lost or stolen devices.
- Establish a policy regarding the hard drives of your copiers and fax machines.
- Research all vendors to ensure that they are reputable.
- Minimize the amount of customer data that is provided to vendors.
- Consider an indemnification clause in your vendor agreements in the event that the vendor is responsible for a breach.
- Document the classification and location of data stored by the company.
- Encrypt all devices.
Mitigate Cyber Risk: Cyber Insurance
Despite the implementation of best practices, a breach may inevitably occur. Therefore, the purchase of a cyber liability insurance policy should be considered as part of an overall risk management strategy, as a typical Commercial General Liability (CGL) policy may not provide coverage for breach-related losses. When considering cyber liability policies, buyers should consider working with a qualified insurance agent to evaluate exposure to cyber security risks, as well as the following:
- The policy should include coverage for privacy injury resulting from unauthorized use or disclosure of personal customer information that is in the bank’s custody or in the custody of a 3rd party vendor.
- The policy should include coverage for privacy breaches which result from theft or loss of mobile devices, such as bank-owned cell phones, laptops, USB drives or even paper records.
- The policy should provide reimbursement for expenses related to the retention of a computer forensics firm to investigate the cause of the data breach.
- The policy should cover voluntary notification costs, as well as costs incurred when notification is compelled by law.
- Whether the policy is one that also provides coverage for the costs of hiring a public relations firm to assist in limiting reputational damage arising from the privacy breach and/or the cost of credit monitoring services for the bank’s affected customers.
- Whether the policy is one that also provides negotiated rates with data breach coaches that can assist in the effective handling of a data breach.
Given the risks of a cyber liability breach, and the attendant exposures, banks should review all current protocols relative to cyber liability, consider risk management protocols tailored to their entity, and formulate a consistent policy and plan to mitigate this exposure, including the purchase of a cyber liability insurance policy.
One or more of the CNA companies provide the products and/or services described. The information is intended to present a general overview for illustrative purposes only. It is not intended to constitute a binding contract. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice. CNA is a registered trademark of CNA Financial Corporation. Copyright © 2014 CNA. All rights reserved.