Developing a Cyber-Risk Framework

May 27, 2015

Interest rates are interesting, but cybersecurity is rising to the top of priorities for treasurers.

[Editor’s note: this is the first article in a series on cyber risk. A second article in the series is available here.]

Forget about fluctuating interest rates and currencies, or new regulations and accounting guidelines—been there, done that. Treasurers representing a broad range of Fortune 500 companies at a recent NeuGroup T30 meeting candidly acknowledged that cybersecurity—a still new and rapidly evolving threat—is an issue, including how insurance fits into the mix; all of which many say they can’t yet wrap their arms around fully.

“We get attacks all the time, mostly out of China, and we just don’t know where the next attack is going to come from,” said the treasurer of a major industrial company, adding the company has taken an interdisciplinary approach involving the CIO, CFO, head of enterprise risk management, in an effort to talk through all the potential issues and risk exposures.

“We’re trying to make sure we’re thinking about the issue broadly—about what could happen—and we want to do whatever we can to have the appropriate defenses and awareness,” the treasurer said. “We don’t know if we’ve gotten our arms around it.”

The treasurer of a high-end consumer goods company hired an outside firm to perform a breach study to determine weak points, developed a framework to elucidate the level of security it should aim for, and purchased cyber insurance last year. “We think we have a little bit of a handle on that now,” the treasurer said.

Multi-step process
Developing that framework is a multi-step process, and determining the need for cyber insurance is one of the last steps. Cyber policies today mostly cover breaches impacting personal identification information (PII) or personal health information (PHI), and companies’ crime and property policies often cover some other cyber-related risks. Only recently have cyber policies been structured to address risks involving fund transfers and other exposures more directly concerning corporate treasuries, although major gaps, such as intellectual property theft, still exist.

The pre-insurance steps companies must take are not only critical for insurers to even consider providing insurance but also for companies seeking to build effective defenses.

“We believe that cyber insurance is an important market force that can drive improved cybersecurity for companies—and thus improve protection to consumers and the nation as a whole,” testified Ben Beeson, senior vice president of cybersecurity and privacy at insurance broker Lockton Companies, before the Senate Committee on Commerce, Science, and Transportation, in March. “It should not just be seen as another insurance transaction. As the cyber insurance market develops, it will provide incentives for companies to understand and mitigate their risks.”

Kevin Kalinich, global practice leader, network risk and cyber insurance, at Aon Risk Solutions, said that a company’s first step toward developing a cybersecurity framework is identifying its unique exposures, beyond PII and PHI. Those exposures can include the impact from the company’s supply, distribution or logistics chains breaking down, or its website crashing and prohibiting it from conducting e-commerce. In the case of treasury, hackers may steal account information and redirect electronic payments away from their intended destinations, absconding with funds. Or if the company’s bank payment system is breached it could find itself unable to make critical payments—treasury’s modus operandi.

“There’s modeling available now that puts those risks into the proper context and can give a company Monte Carlo simulations of exposures for one-year, 50-year and 100-year events,” Mr. Kalinich said.

The second step, said Kalinich, is identifying the frequency and severity of those exposures. Risk mitigation follows, extending well beyond information-technology (IT) security to implement risk-management best practices throughout the company, including training the company’s own employees as well as those of vendors, so they understand which parts of the company’s network they have access to. He noted that J.P. Morgan did a “tremendous” job segregating critical information inside its database, so while 76 million customer accounts were accessed last fall when its network was breached through a neglected server, customers’ vital information remained safe.

“It wasn’t the passwords, account numbers or PIN numbers [that were stolen]—information that could be used to transfer funds,” Mr. Kalinich said, adding it was customer contact information, which could still be painful but posed no threat of account losses.

Hacking for dollars
Todd Waskelis, executive director, AT&T Security Consulting, said Cyber attacks by state sponsors or financially motivated underground organizations are difficult to thwart because those adversaries are well funded and have very specific goals. A large number of attacks, however, still occur via phishing, when Cyber criminals attempt to gain user names, passwords and other key information by masquerading as a trustworthy person or entity in an electronic communication. Social media has enabled them to identify executives online and develop realistic communications simulating that person to capture information. However, exposure to that type of Cyber-risk can be mitigated by properly managing emails.

“Stopping phishing emails at the perimeter of a company’s network, before they get to users, is important. And companies like AT&T have tools to identify nefarious sources and implement controls to help route traffic away from those destinations,” Mr. Waskelis said.

Another step is planning for when breaches occur. Jeff Diorio, managing director at Treasury Strategies, said that a year ago insurers mandated rigid defensive requirements companies had to follow to get cyber coverage, but they’ve since accepted breaches are inevitable.

“You still have to have those defenses in place, but now you need to have a way of identifying breaches as soon as they happen and having an action plan to respond to and mitigate them,” Mr. Diorio said.

He noted one client’s bank had experienced successive denial-of-service attacks, rendering its payment system inaccessible for a period of time, causing a delay in crucial daily payments. The client established shadow accounts with another bank, so if one bank system was compromised it could still make payments. And to counter the possibility of a denial of service attach against the bank or internal client systems, it arranged to physically locate a treasury executive at a terminal at the bank should such an attack occur.

“That’s a bit of old-school disaster recovery, but it still works,” Mr. Diorio said.

Seeking indemnification from third parties the company does business with is another important component.

“If bank itself suffers breach, the company using that bank really needs to ensure there is some kind of indemnification in place – that the bank has some kind of bond or other crime product to cover the loss of funds, or that it’s adequately capitalized to cover a catastrophic event where funds have gone missing,” said Matt Donovan, global practice leader, technology and privacy, at specialist insurer Hiscox.

Protection across the chain
The same applies to vendors that companies outsource services to, such as the treasury risk management systems treasury departments often use through software-as-a-service agreements. Companies must clarify in their contracts with third-party providers where the liability lies, and whether a vendor holding liability has the wherewithal to cover potential losses if it is breached. Retailer Target’s network was breached last November, for example, when credentials to access it reportedly were stolen from Fazio Mechanical Services, a third-party provider of refrigerator units.

And before deciding whether to buy cyber insurance, a company must look at its existing coverage. Crime policies, for example, may cover some losses stemming from fund transfers that are fraudulently diverted to hacker accounts, while property policies can cover losses from breaches that shut down business.

“Companies should engage their insurance brokers to look at their existing insurance to analyze coverage under property, generally liability, crime, professional liability, and possibly kidnap and ransom policies,” Kalinich said. “And they need to determine what is the total cost of risk, and how their bottom line could be affected by those vulnerabilities. Only then do they need to re-engage their insurance brokers to find out what’s available to fill those gaps.” 

(Up next: The second part of this series that will explore the policies available today to cover cyber risks, especially those stemming from corporate treasury).

Leave a Reply

Your email address will not be published. Required fields are marked *