Insurance can help if an attacker gets through.
Mobile devices are practically an extension of the human body. People use them for everything from browsing real estate to changing the channels on their televisions. They use them for financial transactions, too—but that convenience comes with risks for them and for their credit unions.
“One of the softer entry points into the infrastructure of the financial institution is through mobile devices,” says Jeff Chesky, president/CEO of Insuritas , East Windsor, Conn. He says most CUs worry about authentication security, but there are other areas of concern as well.
“You know how everyone uses flashlight apps when they’re at a restaurant?” he asks. “That’s one of the classic breach examples I’ve actually seen live. Some of those apps have been built by hackers in Asia. They sound benign—they make the light go on!—but in the meantime, there’s software inside the mobile device that’s picking up your authentication codes to get into secure areas of your life.”
Stu Sjouwerman, founder/CEO of KnowBe4, a Tampa Bay, Fla.-based security awareness training firm, says 20 years ago, firewalls kept bad guys out of companies’ computer systems. But with the advent of mobile devices, that concept has gone out the window; the users are the firewalls, and they’re often not very good ones. People can be fooled, and developers have a hard time patching software insecurities when users have access to an almost infinite number of apps.
“The internet is moving to mobile, money is moving to mobile, and cybercrime is moving to mobile in a big way as well,” he says. “There are dedicated Russian cybercrime gangs that are specifically developing code for mobile. They are specifically focused on banking Trojans. They send you an e-mail, and if you tap on the link, you infect your mobile device with code. You go to your online banking, but in reality the screen you get is their screen. You type in your credentials, and those credentials get sent to the bad guys. Then they loop you through to the actual site so you never know that your login was captured. Finally, once you are done with your online banking, they go back in and transfer your accounts to accounts that they control.”
And then there’s the way mobile devices work in the first place: through the air, using radio packets. Criminals with the right equipment can “sniff” the radio packets and see the data being transmitted. Unfortunately, usernames and passwords are often transmitted in unencrypted text.
Even encrypted data isn’t safe, since encryption algorithms tend to be easy to hack. So basically, unless people are using a virtual private network to log into a system, there’s a risk of eavesdropping.
“My recommendation to anybody is never do any financial transactions on a wireless device unless it’s credit card and you are protected against fraud by the card company,” says Sjouwerman. “I’m well aware of the somewhat controversial nature of this statement. But I’m talking about security only. I have more than 1,000 credit unions as my customers, so I know this business well.”
Of course, mobile banking is a fact of life, so Sjouwerman knows his recommendation won’t be implemented. Since CUs aren’t going to get rid of their mobile apps, what can they do to reduce their mobile-device-related risk? They can take precautions, and they can buy cyber insurance for when those precautions fail.
The Fine Print
Cyber insurance isn’t new, of course. But the ever-increasing prevalence of mobile banking means CUs should pay very close attention to what’s covered and what isn’t.
“The number one thing is, don’t buy on price alone,” says Jim Hunt, commercial underwriting specialist at CUESolutions provider CUNA Mutual Group, Madison, Wis. “You want to look at what kinds of coverage agreements there are. Do you have security breach liability? Do you have extortion threats? Do you have public relations expenses? Do you have security breach expenses?
“If you do programming for other credit unions, which, for example, some CUSOs do, are [losses related to those relationships] covered? And you want to look at your limits to see if they’re going to be adequate. If you have a limit of $100,000, that’s not anywhere near sufficient to cover something catastrophic.”
Sjouwerman says to watch out for deliberate exclusions that might leave you high and dry. “Cyber insurance policies generally focus on what we call technical controls, meaning making sure you patch all the software on a frequent basis, making sure you investigate your firewall logs on a frequent basis,” says Sjouwerman. “In many cases, in the fine print, it specifically excludes errors made by humans. So if you are buying cyber insurance, you want to make triple sure that human error is included in the policy.”
Including human error is critical because a very high percentage of security breaches result from social engineering. In other words, people are manipulated into circumventing security on behalf of criminals. Because humans are more fallible that computers, this type of breach represents a huge exposure for insurers, and that’s why they prefer to specifically exclude it. Credit unions should haggle on this point.
“I would strongly recommend that it needs to be negotiated on a case-by-case basis,” stresses Sjouwerman.
Another point to study is how the policy regards attacks from overseas.
“Historically, if a foreign government takes action against a business, it’s an act of war, and ... excluded from insurance policies,” explains Scott Simmonds, an independent insurance consultant based in Gulfport, Miss.
Simmonds says his company discussed this problem with Beazley, London, one of the largest providers of cyber liability coverage for CUs, and the company removed the exclusion. Other insurers have followed suit. But because of the pervasive threat of international hacking, it’s extremely important for CUs to make sure of this point.
“There are at least 40 active cybercrime gangs in Russia,” Sjouwerman notes. “You would want to have that specifically included on your cyber liability policy as a scenario that is likely to happen and that you want coverage for, and negotiate a price.”
The state of New York recently passed rules requiring state-chartered financial institutions to meet minimum standards for cybersecurity for their customers, and to carry adequate cybersecurity insurance coverage. Like California, New York is a bellwether state, often signaling the regulatory direction other states will follow.
Insurance company Assurant, New York, responded to this legislation by forming a partnership with cybersecurity firm SnoopWall, Nashua, N.H. Assurant offers a cyber policy with attractive pricing to banks and CUs that agree to install SnoopWall’s front-end cyber defense tools on the institution’s infrastructure. It’s a win-win, Chesky says, and is a model that will almost certainly be emulated by other insurers in months and years to come.
“It’s very similar to when car insurance carriers say ‘Let’s put telematics in the car so I can see how lawfully the driver drives,’” he says. “They’re willing to drive down the risk cost because they have independent data. They know the financial institutions have met a minimum standard of cyber protection. It’s the right thing to do for carriers to work in partnership with financial institutions when there’s so much risk, and so much reward [for criminals] if they can hack in.”
Indeed, Sjouwerman says Beazley has struck a similar relationship with KnowBe4, giving customers a discount if they use what it calls “new-school” security. At the same time, the insurer is asking financial institutions to enroll their employees in training to reduce the risk of social engineering breaches.
These partnerships represent a win-win: financial institutions benefit from the higher security and lower premiums, and insurers are able to better limit and quantify their exposures, giving them incentive to stay in the market and deterring them from lobbying for strict legislative caps on cyber insurance settlements.
With so much change in mobile technology and the insurance marketplace, insurance experts strongly recommend revisiting your credit union’s cyber liability policy at least every three years—possibly more often. Coverage will change in response to current events. So will rates.
“This isn’t like houses burning, where we have 100 years’ worth of data and can say ‘Every year 10 buildings are going to burn, so we need this amount of money,’” says Simmonds. “The threat continues to evolve. New ways of being bad are being developed all the time.”