Cyber insurance for Financial Institutions

As the pace of technological innovation continues unabated, banks and other financial institutions are increasingly reliant on the efficiencies of IT infrastructure and the data stored therein. The value of the availability, security, and integrity of these networks and data cannot be overstated and organisations’ must consider the ramifications of a cyber security or privacy related incident.

Year after year, data breach studies have drawn a correlation between industry segments with the greatest volume and breadth of confidential information and cyber incidents. Given the highly sensitive nature of their data, organisations in the financial services sector, especially financial institutions and insurance companies, are prime targets and frequent victims of cyber incidents. 

JLT provides bespoke cyber risk management solutions and cyber liability insurance across the financial sector. Whether you are a bank or any other financial institution, our team of experts will work with you to find the right multi-dimensional cyber risk solution against data breach and cyber-crime and attacks.

 

WHAT WE DO

Cyber insurance for Financial Institutions

Cyber risks that financial institutions and financial service organisations should consider: 

  • Large volumes of customer, applicant and employee information including payment card, bank account and personal identification numbers and other confidential details in your care, custody or control
  • Growing trend of cyber espionage 
  • Business interruption on account of a system glitch, denial of service attack or other network intrusion
Cyber insurance for Financial Institutions
  • Reputational harm subsequent to a breach damaging brand loyalty and trust, resulting in business income loss
  • Professional indemnity and other traditional insurance policies do not typically cover financial institutions for incident response or business interruption, resulting from cyber attack or technology failure, therefore additional cyber insurance should be considered.

We can provide bespoke cyber risk management solutions and cyber liability insurance across all financial institutions. Our team of experts will work with you to find the right cyber security solution against data breach and cyber attacks.

CYBER Q&A

Information Technology (IT) generally refers to all things computing. Less familiar is Operational Technology (OT), the software and hardware used to monitor and control physical devices. OT is typically found in industry and critical infrastructure, where electron systems operate equipment (such as sensors, valves or controls) in pipelines, refineries and nuclear power plants.

These Industrial Control Systems have been used for decades (and can trace their origins to the beginnings of computing and automation in the 1950s) in a wide range of sectors, such as energy, utilities, manufacturing, chemicals, transport and scientific research. They can collect data, control processes and machinery, as well as measure and manage environmental factors, like temperature, pressure etc.

OT is becoming more and more important with the march of Industry 4.0 and increased levels of automation in industry. Smart systems are being developed for power and utilities, transport and manufacturing that will see more and more industrial control systems and equipment connected to networks, including the cloud.

And with the Internet of Things (IoT), OT will increasingly move beyond the industrial environment, as more and more technology is used to monitor and control devices in other sectors, such as logistics, medicine, building management, telecommunications and entertainment.

However, OT and IT are quite different beasts, and are usually treated separately within organisations. But, according to Gartner, developments in IoT, smart systems, machine learning and automation will see IT and OT systems become more integrated.

But OT and IT systems currently have conflicting priorities. While IT services are primarily concerned with data protection and security, OT has so far prioritised accessibility over security. Many industrial control systems were not designed with security front of mind, but awareness of their vulnerabilities and the potential consequences of cyber attacks have been increasing.</p.>

One of the most high profile attacks using OT involved a steel mill in Germany, where hackers accessed the plants control systems, taking control of the blast furnace. Iranian hackers were also said to have taken control of flood gates at a US damn in 2013.

OT systems are also harder to protect than IT. Many are known to run on unsupported or unpatched operating systems. Such systems are also vulnerable to human error – hackers used targeted emails and social engineering to infiltrate the German steel mill systems.

As cyber criminals and other protagonists increasingly look to target industrial systems, the security of OT is set to become as important as it is in IT.

Companies are becoming increasingly dependent on IT systems - to manage supply chains, communicate with customers and trade - and are therefore exposed to the risk of significant disruption from IT system failures.

Cyber insurance has evolved over recent years and broad forms of system failure coverage are now available. However it is important to examine wordings as significant differences exist between policies.

Cyber insurance can cover business interruption losses from a wide range of systems failures, but will not generally cover outages caused by power supply or telecommunications failures. Depending on the policy, other exclusions may also apply, such as the failure of new software roll-outs or upgrades.

System failure cover typically falls into one of two camps: all risks or named perils. All risks provides the broadest cover, but the market is more limited in terms of insurer options and capacity, and the pricing is frequently higher. Underwriters are also likely to require more information from insureds.

For companies that require system failure it is critical to be aware of the type and scope of cover under their cyber insurance policies. It is also important to work with a specialist broker to understand the implications of wordings.

Cyber espionage is one of the murkier aspects of cyber risk. Few organisations will admit to having been victim of cyber espionage, but many are concerned for a cyber attack that seeks to steal confidential information, like trade secrets or client data.

Cyber espionage topped the list of major threat concerns for global business, according to a survey by Trend Micro. One in five global organisations surveyed ranked cyber espionage as the most serious threat to their business while 20% of US companies were said to have suffered a cyber espionage related attack in the last year.

Cyber espionage is a broad term to describe the theft of information related to individuals, companies and governments, using hacking techniques. Foreign governments, state-affiliated hackers and even business rivals will all potentially have an interest in stealing valuable data, such as military secrets, technology or research.

In its broader sense, cyber espionage can also refer to attempts to disrupt critical infrastructure or services by foreign governments or state-backed hackers. For example, a cyber attack in Ukraine targeted power stations in December 2015, causing wide-spread outages. 

As more and more critical data and intellectual property moves online, cyber espionage is likely to become a more pressing issue. At the same time, nation states and state backed hacking groups tend to be better resourced and use more sophisticated methods than cyber criminals.

A recent report from Lloyd’s identified energy, telecommunications and the public sector as the three sectors most susceptible to cyber espionage, followed by manufacturing and professional services. Foreign governments and their agents target these sectors as they seek to steal sensitive information on politically exposed persons, intellectual property and key infrastructure.

Patches are software updates, usually released to improve the performance or fix bugs and security vulnerabilities in software already installed on computers, IT systems and devices.

Software is far from perfect and glitches and vulnerabilities are readily exploited by hackers who use them to carry out cyber attacks, spread viruses, malware, ransomware and to create armies of botnets.

More sophisticated cyber attacks use unknown vulnerabilities – called zero-day exploits – but the majority rely on known vulnerabilities. Analysis suggests that zero-day vulnerabilities account for as little as 1% of vulnerabilities in Microsoft software.

In fact most exploits involve vulnerabilities that were patched more than a year ago. According to Fortinet’s recent Threat Landscape Report, 90% of organisations recorded exploits for vulnerabilities that were three or more years old. Some 60% of firms were still seeing attacks for vulnerabilities dating back 10 years or more.

The WannaCry and Petya ransomware attacks in 2018 earlier this year demonstrate the extent to which not-patching can leave companies vulnerable. Both used known vulnerabilities to spread through networks and encrypt data, and despite the availability of a patch, the malware infected hundreds of thousands of computers.

Regular patching is known to be an effective form of defence against cyber attacks, and yet companies take on average 100 days or more to update their systems.

In an ideal world, every organisation would apply the latest security patches and updates to their IT systems as soon as they are released. But in reality there are many good reasons why companies do not keep software up-to-date, not least because of the complexity and interdependencies of software and the reliance on critical IT systems.

Installing patches can create more problems than they solve, and are known to have caused systems to crash catastrophically. In 2015, trading ceased on the New York Stock Exchange for nearly four hours after a technology upgrade went wrong, while a failed upgrade left thousands of banking customers unable to access their accounts at Australia-based St George’s Bank.

Silent cyber refers to potential cyber exposures contained within traditional property and liability insurance policies, which may not implicitly include or exclude cyber risks.

Unlike specialist standalone cyber insurance, which clearly defines the parameters of cyber cover, traditional insurance policies were not designed with cyber exposures in mind. In many cases, traditional policies will not specifically refer to cyber and could theoretically pay claims for cyber losses in certain circumstances.

This is particularly true for all risk property coverages that do not exclude cyber risk - also known as ‘non-affirmative’ cyber - and is particularly relevant for marine, aviation, transport and property lines, although it is also present in some liability covers.

For example, a study by the UK’s Prudential Regulation Authority (PRA) in 2016 found that the aviation insurance sector has to date been comfortable providing implicit cyber cover and the market has not witnessed a move to introduce exclusions.

Similarly, there are currently no widespread cyber exclusions in the property market. However, underwriters have acknowledged the potential for cyber aggregation resulting from cyber attacks on high-profile commercial or industrial targets, or from smart-house technology, the PRA said.

Casualty lines may also have significant exposure to silent cyber losses, reflecting the fact that exclusions are not widely used or because some policies cannot exclude cyber losses, such as mandatory coverages like motor. Directors and officers, professional indemnity, financial institutions and general liability products are likely to be exposed to various degrees to ‘silent’ risks due to a lack of use of effective exclusions, the PRA said.

How the market approaches silent cyber exposures will have a direct impact on coverage and the way in which the market reacts to very large and systemic losses. 

Cyber-attacks against digital supply chains are on the rise. Supply chain compromises typically seek to introduce security flaws or exploitable features into hardware, software, or digital services, which are then passed on to customers. Last year saw some significant examples of supply chain attacks, including the compromise of managed service providers (MSPs) and several software products.

In 2017, suspected Chinese hackers compromised several global MSPs, which deliver outsourced IT, HR and business services. It is thought that the attackers obtained commercially sensitive data from the MSPs and their clients, which included government agencies.

According to the National Cyber Security Centre (NCSC), MSPs represent a particularly attractive target as they have links to thousands of customers worldwide. Even if a client has strong cyber security, it may find itself vulnerable if a trusted network link to an MSP is compromised.

Between 15 August and 12 September 2017, downloads of a free computer clean-up tool known as CCleaner were infected with malware. The incident is thought to have affected over two million downloads by both individuals and businesses, and resulted in further attacks against large technology and telecommunications companies in the UK, Taiwan, Japan, Germany and the US.

NotPetya, the global malware attack that caused major disruption in June 2017, was also a supply chain attack.

Attackers managed to introduce malware into MeDoc, a legitimate software application widely used by businesses in Ukraine for handling tax returns. The compromised MeDoc update infected users of the application, while the malware was then able to spread itself within networks.

Supply chain cyber attacks are seen as an increasing threat by cyber security agencies and cyber security firms. Analysis from Symantec identified a 200% increase in attacks where hackers injected malware into the software supply chain. This equated to one attack every month last year, compared to four attacks in all of 2016. 

Cyber war games simulate the experience of a real cyber-attack, enabling organisations to test their cyber response procedures, capabilities and governance in a safe and controlled environment.

Cyber war games differ from traditional penetration testing, which typically looks for vulnerabilities in IT systems, networks and websites. Cyber war games are a much more involved exercise, aimed at testing an organisation’s overall response to a cyber incident, including the decision making of senior managers and the effectiveness of communications.

War games use specially developed scenarios – like a malware or spear phishing attack – to simulate an attack. Simulations can be a simple ‘table top’ exercise or a full-blown simulation. The former would see participants briefed on the attack scenario, whereas participants in a simulation are given very little information and have to work through problems as they arise.

The exercise should, however, be cross functional, involving IT, risk management, business continuity, legal, corporate communications, marketing and customer care. This helps build relationships in advance of a cyber incident and tests the flow of information, including an organisation’s ability to share information effectively and quickly, both internally and externally.

Companies can employ a third party to design and run the war game on their behalf. War games can involve an organisation’s key business partners, suppliers and contractors; while incorporating third party services, including breach response, crisis management and even insurance. 

WHY JLT

Financial Institutions
Financial Institutions

We are aware that you have a choice of who represents you, so why choose JLT?

  • We stay close to the pulse of the vibrant London insurance market and leverage our relationships and knowledge
  • Our deep technical knowledge means that we do not accept any insurer's standard policy form and will work tirelessly to ensure you receive a differentiated result
  • Claims advocacy is a vital part of our offering to clients. We link it to placing and wording to ensure that clients receive a full circle and joined up approach. Our claims advocates will provide you with tailored policy wordings, advising you about notification and coverage, and work with you and your insurers to achieve successful resolution of all claim-related matters
  • We host training workshops and establish regular meetings with clients
  • We create content that highlights the latest risk trends and aims to simplify concepts that may seem confusing to individuals with limited experience in technology. This includes our monthly newsletter, Cyber Decoder, in- depth whitepapers as well as a wide range of educational videos and materials
  • We know we can’t do it all (penetration testing, incident response drilling, technical security advice) and so we seek unique partnerships, to bring you cutting edge solutions.

CYBER LOSSES

FINANCIAL INSTITUTIONS

Banks and financial institutions, in almost 30 countries, had over USD 1 billion stolen over the course of two years from 2012 to 2013. Hackers were able to achieve this by sending a series of phishing emails to unsuspecting employees. Once opened, the hackers were able to access the financial institutions’ accounts and transfer funds fraudulently.

US BANK

In 2014, a large American Investment Bank was the victim of a cyber attack which is thought to have affected the accounts of 76 million households and 7 million small businesses. The attackers gained access by hacking into the computer of one of the bank’s employees. The hack, which could have been stopped but for the failure to upgrade an overlooked network and stolen password, began in June but was not discovered until July.

 

ASIAN BANK

In February 2016 hackers attempted to steal USD 951 million from an Asian Central Bank. The Federal Bank of New York was able to block the majority of transactions. However, they were unable to prevent USD 101 million being taken. The heist was executed by issuing payments via the SWIFT Network. There is evidence linking the attack to North Korea as the code used in the attack matched the code used in attacks on South Korean banks and media companies in 2013.

INSURANCE COMPANIES

In February 2015, a Chinese cyber-crime gang hacked into one of the world’s leading health insurer’s main servers and stole personally identifiable information. Records including social security numbers, addresses, phone numbers, and email addresses were among the items of data compromised in what is the one of the largest data breaches seen in the financial services industry. The total number of those affected was reported at being around 80 million with 250,000 other companies affected by the breach.

 

Read our latest insights