Are your financial institution’s computer systems impenetrable? Even if you have the most state-of-the-art security controls, your customer and corporate assets could be at risk.
Property policies work well when addressing physical damage to computers and the resulting business income and consequential loss if it results in loss or damage to tangible property. The cyber and fraudulent transfer exposure is addressed in other policies.
Most financial institution bonds today include coverage for
- Theft of electronic data or property by hackers.
- Damage or destruction to electronic data or computer programs resulting from hackers.
- Computer viruses and employee sabotage.
- Fraudulent funds transfers initiated by phone, fax, email or internet access.
F.I. bond policies outline your responsibilities on wire transfers, such as callbacks, written agreements, etc. Under the bond, carriers carve out coverage for account takeover. If your customer’s computer is compromised, there may not be coverage. They can also purchase their own cyber policy designed for their business exposure.
Cyber risk policies are written to cover liability, mitigation expenses, and income loss if your customer’s information is compromised. Every policy includes exclusions. Cyber policies do include a breach response firm to assist and guide you.
There are broad-form policies available today from major carriers specializing in insurance for banks. These policies take the coverage another step further to also cover losses from:
- Invasion of privacy includes information contained on phones and other devices.
- Libel, slander, defamation or other oral or written disparagement.
- Loss or damage to electronic data of a customer or passing on a virus.
- Denial, impairment or interruption of service.
- Cost of new hardware, software, and bricked equipment.
- Unauthorized access to a customer account.
- Vandalism — hackers and crackers.
- Social networking liability and e-risk extortion.
- Security breach expense, public relations expense,
You might assume your bond or cyber policy covers all of the above. However, you may want to request that your insurance agent take a closer look. Together, you can determine what coverage you really need and what you are willing to pay for the additional options.
INTERNET BANKING — Risk Management
Conducting business over the Internet, sending confidential information online, or even just hosting an informational website puts your financial institution at risk for fraudulent and criminal acts.
Insurance carriers specializing in depository institutions ask that you complete questionnaires as part of the underwriting process.
These questions come from the insurance company’s loss history and are intended to help the company, and you, determine where there may be exposure.
I.T. auditors and consultants also bring up various issues to help with risk management. You can ask your staff many questions to determine if there are any gaps in your loss control program. The following are just a few questions to include in a self-assessment tool. More procedures and controls are available upon request, along with examples of losses.
- Are employees working from home using bank-owned computers?
- If the website links by any means to any other website, has permission been granted or a link license been obtained?
- Does someone regularly review activity on social media?
- Are logical access controls (user Ids and passwords) in place to allow only authorized employees to access the network? Are the passwords changed every 120 days?
- Is the website’s content reviewed to ensure mandatory legal disclosures and relevant regulatory and compliance issues have been adequately addressed?
- Has the internet banking strategic/business plan been reviewed and approved by the board of directors annually?
- Has the disaster recovery plan been modified to include internet banking and other electronic activities?
- Have the internal and external audit programs been updated to specifically address internet banking and electronic activities?
- Is software used to manage or monitor employee email content, file downloads, or unsolicited email (SPAM) activities?
- Has publicly obtainable information such as date of birth, social security number, mother’s maiden name, etc. been removed from the list of authentication options?
- Are exception reports generated and reviewed daily, which would reveal: (1) restricted transactions, (2) correcting and reversing entries, and (3) unsuccessful attempts to access the system or restricted information?