Christine Marciano, CIPP/US
Data Privacy/Cyber Risk Insurance Specialist
Long gone are the days of bank robbers tunneling their way into bank vaults, stealing bundles of money and jewels. While these incidents still happen, they have become fewer and farther between.
For instance, in 2015 in a remarkable heist, crafty burglars drilled an enormous hole through a vault in order to ransack a safety deposit box vault, making off with more than $300 million in jewels. In 2016, just a year later, today’s bank robbery is quite different.
While today’s bank robbers are still crafty, they have become more high tech, and opportunistic tunneling their ways into a bank’s digital environment via the internet without being noticed or sounding off any bank alarms and stealing large sums of money than was ever physically possible. Take the recent Bangladesh Bank – February 5, 2016. A group of international robbers allegedly with the aid of some influential officials of the Government of Bangladesh stole as much as $101 million foreign reserve of the central bank named ‘Bangladesh Bank’ from its account at the US Federal Reserve Bank. According to a Bangladesh Bank spokesman, a group of robbers hacked the security system of the bank online in early February and stole credentials for payment transfers. Surprisingly, what sounded off the bank’s alarm, was a “typo” and not a security alarm or intrusion detection software. A spelling mistake in an online bank transfer instruction helped prevent the nearly $1 billion heist. Though the unknown hackers still managed to get away with a significant amount of money before the spell checker system caught the incident. This bank robbery is now considered one of the largest known bank thefts in history, and the burglars never stepped foot into the Bangladesh Bank.
According to news reports, Bangladesh Bank said it has recovered some of the money that was stolen and stated there is little hope of ever catching the hackers, and it could take months before the money is recovered, if at all.
Security experts said the perpetrators had deep knowledge of the Bangladeshi institution’s internal workings, likely gained by spying on bank workers. Indeed, Jesse James and Willie Sutton would have been envious of such a scheme.
How can banks and other organizations prevent these types of attacks? Well, besides making sure you have a good spell checker system that can proofread transfer requests, and systems in place to prevent such incidents from happening in the first place, a security framework that focuses on “identification, protection, detection, response, recovery –and- risk mitigation is needed in today’s evolving risk environment.
Nonetheless, cyber insurance has become the center of attention in risk mitigation. Organizations that have security procedures, policies and protocols in place and are aligned with a security framework (Ie, "NIST CSF" or ISO 27001), and have conducted a risk assessment, are still exposed to financial liability “when” and “not if” a breach of security incident happens. When one happens, the question many organizations are now asking is “How much cyber insurance should we purchase, and what do we need to do to qualify?”
If we have learned anything from the litany of never ending network security breaches is that security is not guaranteed, nor can it prevent every single incident. And, as cyber insurance has evolved, and with over 50+ cyber insurance policies to choose from, no policy is the same, nor can cyber insurance protect an organization against every single incident.
This is why working with an experienced specialist cyber insurance broker is crucial and should be a requirement for those organizations that are exploring cyber insurance for the first time, or already have a cyber insurance policy. In today’s complex and evolving risk environment, no matter how much money you invest in security, the same can be said about cyber insurance….. if you don’t have the right policy or broker in place, your organization is leaving its financial liability openly exposed due to a cyber insurance policy that is poorly designed and perhaps full of exclusions that were not explained.
Indeed, cyber insurance is here to stay, and with cyber insurance claims on the rise we will certainly see many more insurance claims end up in court battles with “Insured vs. Insurer” and vice versa. This is why working with an experienced specialist cyber insurance broker is needed before an organization purchases a cyber insurance policy, and even after having done so, as risk evolves so should cyber insurance.