Increasing cyber risks mean financial institutions must up their game to protect their data, reputation and bottom line. How are institutions that want to innovate doing so with a strategic risk-based approach? And how does technology fit into it? We invited two industry experts to share their perspectives as well as the most significant trends and challenges in Cybersecurity Insurance and IT Governance. All this and more in this insightful episode of Fintech Focus.
Transcript:
Laura Sewell (LS): In recent years, digital transformation and growth in the financial sector have coincided with the increase of cyberthreats, and regulators are taking note.
Saxon Prater (SP): To combat the trend, they’ve placed greater emphasis on cybersecurity compliance and expecting institutions to maintain a secure IT infrastructure.
LS: These growing complexities of technology compliance compose a challenge for in-house staff at financial institutions, especially for those that wish to grow and scale.
SP: So how are institutions that want to innovate doing so with a strategic risk-based approach?
And how does technology fit into it?
LS: We’re talking today with Zack Duke, founder and CEO of Finosec, a provider of automated governance programs designed to help manage information security and cyber security about the trends in cybersecurity compliance, risk and IT governance.
Zack Duke (ZD): Typically, institutions are really good at managing risk. Cyber, I think it’s a little more scary or maybe they’re not as familiar with the controls, but the same concepts apply.
SP: We also invited CSI, Manager of Strategic business consulting, Steven Ward, who leads CSI’s IT governance program to offer his perspective on what financial institutions should be doing to meet business objectives.
Steven Ward (SW): Everyone is going to have to really pay much much closer attention to this. It’s going to get bigger, the ramifications from it I think are going to get larger and I think there’s probably going to be possible fines. And even further, people aren’t doing what they need to do.
LS: I’m Laura Sewell.
SP: I’m Saxon Prater and this is Fintech Focus from CSI.
LS: Zach and Steven, welcome and thanks for joining us today on Fintech Focus.
ZD: Thanks for having me.
LS: Absolutely.
SW: Thank you. Pleasure to talk with you.
LS: Steven, given the industries massive focus on cybersecurity and protecting your business, we’re going to get into the nuts and bolts of cyber security compliance and IT governance today. But first I wanted to touch on a hot topic you’ve mentioned to us in previous conversations that’s really at the forefront of a lot of bankers’ minds, and that’s cybersecurity liability insurance or cyber insurance as some call it. What exactly does that entail and why is it such a big deal right now?
SW: Well, I think what we’re seeing is the sheer volume of this type of activity in the criminal side of things is really causing the carriers to rethink their risk profile and that’s causing them to put a lot of pressure back on the insured, the institutions, as to the controls they have and how well defended they are against this type of attack. It’s an expense. There’s obviously a risk factor involved here in multiple layers from financial to reputational. And it’s something you really can’t do without. I think everybody would agree on that.
So, when you look at the what the carriers are doing, what the insurance providers are doing and how they are feeling pressure and how they are becoming more stringent on this, you look at the threat landscape, you look at the complexity of IT, attack vectors are ever increasing. I think you really have to have guidance – some people looking at this at a broader level and talking to a lot of different institutions about what they’re seeing and what’s actually happening live on the ground.
Zach and I both can tell you horror stories of things that have happened in institutions because they did not have the coverage, they thought they had and/or they did not have the controls in place that they thought that they had. Zach, you speak on this all the time. What is your take then?
ZD: Yeah, I think it’s really, foundationally a challenge. We see where, you know, a lot of institutions there’s this assumption. And every time I say assume I go back to my 6th grade teacher who wrote “assume” up on the chalkboard and she circled the “u” and it just it makes me pause.
There’s a dynamic here of what are we really paying for when you look at cyber insurance? Well, the first piece of that is the questionnaire related to cyber insurance. How does the process get qualified? And the number of pages and the number of questions is greatly expanded. We’ve seen over the last several years that went from about a page and a half to over six pages of questions that you need to have to get coverage.
At the same time, we’re seeing a consistent trend when attacks happen of coverage maybe being denied…additional processes that the institution has to go through to be able to validate or do an attestation. And the real challenge here is everything that you have on your questionnaire that you say yes to, you have to have a process to be able to document and validate it related to that cyber insurance. And there are real challenges as you look at your institution of thinking that maybe I’m covered, but maybe you may not be based on those questions.
The other component that I see kind of time and time again, there’s been a couple of kind of precedent cases where institutions have been compromised. In one case there was an institution that was actually compromised several years back. $2.4 million dollars was stolen. Shocking? Not really at all. The hackers got in through a series of email phishing attacks and then they went laterally, and they were actually able to go and get into their debit card systems and they stole the $2.4 million dollars. So initially, the cyber company or cyber insurance company actually paid the institution $2.3 million dollars, essentially $100,000 deductible. What made it real is fast forward about a year later, that same institution got sued by the insurance company saying that we cover that under your cyber intrusion policy, but in reality, we should have covered that underneath your debit card rider. Good news, it’s a $0.00 deductible. Bad news, that’s a $50,000 dollar maximum – you owe us $2,250,000 dollars.
And that all of a sudden changes the conversation around cyber and threats and risks and regulatory to a true business discussion. If you think about next quarter, your institution takes a loss like that, that is not insignificant. That’s really where in conversations that we see there’s a need and a process related to the governance of your cyber insurance questionnaire and review process.
LS: Was the institution in the wrong or is the insurance company correct and what could have avoided that shock of having to pay that money back?
ZD: Yeah, so the first thing is definitions matter. As we speak, I’m working through the process of having hail damage in my house and it’s a great example. Insurance companies are in the dynamic of paying out less than they could get in premiums. That is their business model. So, the first piece with that example that I was talking about that institution in that case, it was actually definitions of policy.
What we’re seeing, though is there’s actually another precedent case around multi factor authentication where it wasn’t a financial institution, it was actually a manufacturing company that wasn’t paid out last year because they didn’t have multi factor authentication fully enabled. They said they did on their questionnaire, but they did not actually have it correctly implemented. So, I think there’s a blend of the risks associated and ultimately as the dollar amounts go up in the cost of responding to the breach, the bigger the risk is both for the insurer of paying it out, but also in turn the institution on definitions or documentation.
I use this analogy on what we’re seeing with the attestation or the validation. It’s very common post-breach for the cyber insurance company to want for you to go take that questionnaire that you fill out every year for coverage and be able to go and validate everything that you said yes to with documentation.
SW: Right. What we’re seeing in that area, Zach, all the time, first of all the longest attestation, the longest request we’ve seen we just had a client that received one that was 30 pages long. It’s unbelievable what they’re asking for. The regulators don’t ask for as much as these people are asking for.
I think Zach’s absolutely right. Definitions matter, so it’s a matter of, first of all, understanding what actually is in that policy and having that conversation with the provider. Exactly what does this coverage mean? What will you pay for? What will you not pay for? Where is that in writing? What constitutes it? Is this hail damage or is this wind damage? I think you have to have those hard conversations with them and look at your policy very carefully and figure out what exactly is it covering here.
Of course, the other thing is if it never happens in the first place, if we can prevent it from happening and begin with, then we’re never going to have to have this conversation with them. So, I think that goes back to understanding really what your risks are, what your controls that are in place and are they adequate. As Zack said no matter what if it does occur, they’ll ask you the whole question again, it’s not going to just be in the area of the of the breach or the area of the loss. They’re going to ask you to reverify everything that you said on that.
My consultants have an inside joke where everybody kind of laughs and says, you know what, that attestation is the first form in a claims denial process. If they find anything in there that you can’t prove that you’re doing that you said you’re doing, well that’s going to complicate that conversation. So, you really have got to know what your risks are and what your capabilities are. And do you really have these controls in place and are you testing those controls? Can you confirm those controls are effective? And don’t you think that’s true, Zach?
ZD: Yeah, you know, I was thinking as you were talking about it, it’s like this one makes the middle vein in my forehead start pulsating. So I was at a conference, I was actually doing a presentation on cyber insurance. This was actually middle last year and one of the bankers raised their hand and said, hey, my cyber broker told me to say yes to a question on the questionnaire that I did not have, and they told me I needed to do that to make sure I got coverage. And thank goodness the institution didn’t do that. And they had active conversations on if they should change the broker because sometimes this gets bundled into bond and fidelity and a whole bunch of other things inside the institution and there’s significant business risk related to that. It’s like, how does somebody tell somebody to say yes to something like this on a questionnaire when it’s putting the institution at significant risk?
And I think that’s part of the overall challenge. And I know we’ll talk about regulatory and governance and processes as we go through the conversation, but that cyber insurance is a true business risk that’s just different when you start talking about the true financial impact potential for the institution.
SW: Right. And if you look at the most recent news stories around the SEC and what’s happening with CISOs, where they’re going back on some of these large tech companies. They’re bringing criminal charges and civil cases in a lot of instances. So obviously, if you don’t have that control, you can’t say you have it. If they’re pointing out you should have it, you either have to say, well, we’re either willing to accept that risk or we’re going to mitigate this in another way. But you’ve got to address it one way or the other.
I think you’re right Zach, everyone is going to have to really pay much much closer attention to this. It’s going to get bigger, the ramifications from it, I think, are going to get larger and I think there are probably going to be possible fines, and even further, people aren’t doing what they need to do. That’s a little bit outside of just the insurance piece of it, it’s hard to separate all these issues.
SP: Right. And at the end of the day, you’d probably expect the insurance company to behave as an insurance company. As Zach mentioned, that’s their business model as well. I’m wondering, are there any common exclusions that we might want to point out, you know, limitations and cyber liability policies that organizations should be aware of?
ZD: Yeah. So, I think Steven, this is a great example of really some of the benefits that you and your team deliver when you’re going through the annual review process. You know, definitions matter, and the challenge with that, I know we can kind of consistently see is verbiage, exclusions, dollar amounts are significant. Steven, you got some context on that and just kind of what you’ve seen as you and your team have been doing these reviews, helping your customers validate that insurance process?
SW: For the most part, I think that what we’re finding is…this isn’t everyone, but I think a lot of institutions are playing catch up with us somewhat. They’re a little bit unaware that this has been something that they had to have. It was like, yeah, we need to make sure that that’s added on to our policy and I think we’re now in the situation from a risk and a threat perspective that we’re, no, no, this isn’t just something, an afterthought, this has to have serious thought put into it.
And you really have to have deep conversations about, well, what would be the potential for this? What would be the ramifications if this was to happen? And the institution’s going to have to decide is that enough coverage? Nobody wants the premiums to go up, but they’re going to go up. And especially if you really start looking and figuring out well is this going to be covered and is that enough? Most of the time they have to increase it, which means it’s a cost.
So, most of the conversations are, really, well what is that? What is that coverage exactly? Now, when we walk through this with people, we do a lot of explaining. Does it have this? Are they going to cover this? Are they going to cover forensics? To what extent are they going to cover that? If you have to save all this data from a forensic standpoint, you know how are you going to get everything back in production? Are they going to accommodate what it would take to maybe do that? What exactly will they really cover? It’s usually not spelled out very well in the policies. You really have to go back to the carrier and say hey you need to elaborate here; you need to tell us more. Oftentimes some of these policies are intentionally vague in the language.
Now, there’s some people who say, well, that vagueness plays into the benefit of the insurer because, you know, you have a lot of interpretations like, well, not necessarily, it can be played both ways. They can easily say, well, that isn’t what we said, that’s not what we covered. So, I think these policies are going to have to be much more elaborate and you’re probably going to have not just a risk review, but you’re probably going to have to have a legal review of these types of things.
SP: Thanks for listening to Fintech Focus. We’re talking with Finosec’s Zach Duke and CSI’s Steven Ward about cybersecurity insurance and the IT Governance landscape.
LS: Well, all in all, proper cybersecurity insurance is part of an effective business purchase cybersecurity. So, let’s look at the bigger picture. Let’s switch over to cybersecurity compliance. Now we’re all familiar with cybersecurity and compliances as separate concepts, but how is cybersecurity compliance distinct? Zach, why don’t you start?
ZD: Yeah, so I think when you’re thinking about the concepts of regulatory in cyber terms, there’s a couple of key concepts. The first is there’s a need and a validation process of independence that’s required. And when you’re thinking about your institution and the processes involved, just like you wouldn’t have the lending team be able to go book the loan, close the loan, wire out the money, you wouldn’t have them do full life cycle. Those same concepts apply when you’re thinking about information security and cyber security, governance and risk management.
And at the same time because these threats have increased so significantly, and we could spend a ton of time giving you example after example of attacks that have happened to institutions. But in lieu of that, what’s happened is now the regulators are all over this. And it’s very clear there are needs for documentation and governance.
Actually, we’ve had a couple of updates. Steven, I don’t know how much you’ve jumped in on the “new” third-party risk management guidance, I say “new” in air quotes. You know, they only had it out for questions for like what? Almost two years until they actually had guidance, but that ties into expectations on how we manage these things.
SW: Yeah.
ZD: So, Steven, you know, what are your thoughts and what are you seeing related to the compliance quandary and dynamics of that governance process?
SW: Well, all the handbooks are relatively subjective in nature, and it’s all partially dependent on the size and scope and complexity of the institution involved. We all know that the regulatory body wants to take a risk-based approach to everything, so everything is about risk management. And risk management starts with understanding what you actually have, which is what your risks are. What everybody’s going to be faced with is getting a much more in-depth and much more holistic view of what their environment actually looks like. And when I say environment, I mean not just internally but as an entity. Where are the connections? Where are they coming from? Where’s the data come from? Where does it go? Where does it reside? Who has access?
I think a big part of what you just referring to with that latest guidance from them and one of the things that struck me is they were even interested in… how did they phrase it? Was it nonproprietary or non-sensitive information? That tells me, look they don’t care what the data is. They want to know that the data is secure, and they want to make sure that you know, as an institution, where this data resides, how it’s protected, and who can access it.
If I look at more than just the business side of it, I do think we have to balance a little bit with just because something’s a vulnerability doesn’t necessarily mean it’s exploitable or worth exploiting. So, I think we have to still strike a balance of why you have to have that awareness. You have to have that conscious of what’s there. You then do have to look at it from a business perspective, say okay, is this what they’re actually going to go after? I need to know I have it, but is this something that has to be protected, you know, to this degree? And that helps you determine where you are going to put your resources. I think it’s really being aware of everything you have then weighing that against what’s the real potential for exploitation.
ZD: Yeah, I think you nailed it when you talked about risk assessment and that’s threats, risks, vulnerabilities, controls and then residual risk. Typically, institutions are really good at managing risk. Cyber, it’s a little more scary, or maybe they’re not as familiar with the controls, but the same concepts apply.
SW: Right, a lot of times risk assessments are a little bit theoretical. I’ve had countless conversations with CEOs where they ask why am I having to take the time to do this? You know, this doesn’t really make sense. This whole idea of could this happen? Might this happen? How bad would this be if this happened? It seems too abstract in a lot of ways. Starting out with that system map and knowing really what systems you actually do have. Identifying those, identifying the data, where the data resides, what that data actually is.
And then looking at it from a control side from our framework such as NIST and CIS and figuring out what controls do we already have in place and then mapping all of that back to those categories that really tie into the actual systems and what’s really there, that is concrete. That really tells you, yep, this is high risk data. This is something important. And yeah, the controls we have in place actually do something about this. Instead of just saying, well, what’s the probability somebody would do this? What would be the outcome of that? Well, that would be bad. That’s a little bit too abstract of an approach, but I see a lot of risk assessments that are kind of built that way.
The other thing about it is I think risk assessments cannot be an event any longer. They have to be a process. They have to be part of your ongoing process. So, as you’re vetting new technologies and vetting new services, you have to risk-assess those up front. But then once you introduce them, you need to immediately adjust your risk profile and account for the controls that are doing those. You can’t just wait for that to come around again. You have to be continually monitoring this and looking at it and updating it all the time. That sounds like a lot more work, but I think that it’s been our experience so far that once you treat this more as a process, it is actually easier to live with than having a, every 12- or 18-month, two-week fire drill trying to pull this together. And I think the data when you do it this way as a process, the data and the intelligence you gain from that is much more concrete and much more actionable.
SP: Steven, you mentioned handbooks as well as some key frameworks and standards. From the outside, this seems like it’s kind of a lot to absorb and a lot to approach. So, are there any key frameworks or standards you’d recommend that organizations can use to guide their cybersecurity compliance efforts?
SW: Well, I know that we generally rely on frameworks and what is built into the Finosec platform is based on NIST and CIS controls. That’s what people normally gravitate towards when they’re looking at frameworks. Some people will call the CAT a framework. I’m a little bit on the fence whether that’s truly a framework, but that’s another tool. Ransomware self-assessment, PI Assessments are something else that they should be accounted for.
So, if you just if you just try to chase the NIST controls by themselves. If you just look at NIST and you say, oh, we’re going to implement NIST, that’s a really arduous, that’s a hard thing to do. That takes a whole lot of effort and in some institutions you may not get there. So, I think it’s much better to use a tool that has it kind of built into it that you can also say, well, you know, are we a standard risk organization? Which most community banks would be, and most credit unions would be. That’s going to pare that list of controls down to a much more manageable level and it’s going to fit better with what your risk profile is and what’s more reasonable for you to do and address. So, I would lean into something like that and use a tool to achieve that.
Now as far as the guidance goes, the FFIEC is the Bible. We’re seeing other things crop up, you know CISOs talking about writing their own rules. There’s GLBA, there’s all kinds of other things that you have to take into account, especially if you’re publicly traded, but, you know, you always start with the FFIEC. If you can match everything that they have in all the handbooks from the FFIEC, you’re pretty much there. Now, it’s not that everything’s done, I think you pretty much have it, for the most part, covered. Then you need to go back and look at specific things out of GLBA and also maybe there might be some other things that fall but depending on what your institutions are doing. But I think that’s where you start, Saxon.
LS: What about, and Zach we can start with you. To help with cybersecurity compliance efforts, and we were just talking about frameworks, what technologies, and Steven you said the word tool several times, so I’m wondering if there are technologies out there and what those are to help guide or simplify cybersecurity compliance efforts?
ZD: Yeah, I think there’s a couple things. So, on the Finosec side that’s where we’ve been really dedicated to trying to figure out how do we go tie things like the frameworks and have data live once. So, the concept of if I say yes to this one thing these seven other questions are very similar, they’re worded differently, but they’re the same concepts. Things like do you have any annual report to the board? What was that process? What’s that documentation? And putting scenarios in place to also be able to go have the consistency of other financial institutions, as they’re going through the process and build things where we’re able to kind of pull those components. I think that’s kind of one kind of big macro concept.
The other big important thing is I look at the concepts of tools, is who’s the team behind that? What’s the expertise around the team that’s looking at this data? And being able to go and say, well, that question, I don’t know if I’d say yes or no to that, I probably say yes with some accommodating controls or no and some accommodating controls. And I think, Steven, as I’m thinking of that process of technology and governance, what’s your thoughts on that blend between the tools and the expertise needed behind the tools at the same time and the blend?
SW: That’s exactly what I was thinking. The challenge for most institutions and there’s lots of really talented people in the financial services world. I mean, I’ve met some really, over the years, some really brilliant individuals in business and technology and in finance.
However, for what most people do in their day-to-day jobs isn’t like what people like my team does. So, I agree with you, Zach, that the problem everybody fixes is that and I had this problem when I was a bank executive. You know, I knew the bank I was in, I knew that world, I knew what we were doing, I knew what we were hearing from auditors, I knew we were hearing from regulators, but I didn’t necessarily know everything that was going on. I tried to read blogs and things like that, but I didn’t have the bandwidth and time to do that all the time and it was just me and my team.
Right? So, I think when you turn to somebody, there’s all kinds of tools out there available and we work with various tools and sometimes there are tools that a client may have that they’ll give one of our consultants read access so that we can provide feedback on what’s in there, what they’re seeing. And I think that’s the key. You really need people that do that a lot and that’s their world. They’re not going to make all the decisions for you, but they’re going to give you the absolute best guidance that’s possible and going to give you a view of this that you wouldn’t otherwise get.
So, even though if you’ve got a great tool without someone there to kind of interpret what that tool is doing and what data that’s coming out of it, it could be misleading and it may be terribly inefficient. You see this a lot in an audit and exam findings. They’ll say something like, well, yeah, you could do what they’re saying to do. However, the risk is actually pretty low for that and that would be incredibly costly to do that. Or other times the real common one we see is somebody will say, well we were told we should do this and it’s like well if you do that, you’re going to create the administrative nightmare, and that’s all you’re going to be doing. There’s actually probably an easier way to do that. If you do this then then this will probably, this should pretty much take care of itself without so much overhead.
We read and analyze the handbooks nonstop every time they write – they publish something, we read it and we usually write up some type of analysis report to share with our clients. They don’t read all of them. It’s not Stephen King books… I guess it could be horrific, but they’re not entertaining reading. So, we do that part for people and since we look at that all the time and then we write policies all the time, it’s much easier for us to produce that and produce things that are actionable and meaningful.
Most people that are in that position within an institution simply don’t get enough time on the field and playing that position to do that often enough to become really, really good at doing that. So, I think it’s great to turn to somebody who, that is their game. That’s the position they play all the time and they’re going to give you a lot better guidance than you could just produce simply on your own.
SP: Speaking of guidance, do either of you have any final recommendations for those institutions that want to innovate but are maybe inhibited by cybersecurity and cybersecurity compliance concerns?
ZD: Yeah, I’ll jump on this first, Steve. I think the primary thing I would encourage you to do is to really think about what’s really the most important to get across the board cybersecurity processes. They’re really not dissimilar to other things that we have to manage inside the institution, but really what are the things that really are going to have the biggest impact? What’s the process associated with that? And then evaluating how do you go get the knowledge and expertise to be able to prioritize those things? That’s the takeaway that I would recommend is really focus in on the most important and then create plans from that. Steven, what would you add?
SW: This comes in the play probably more when we’re doing strategies workshops with clients. We don’t just do IT strategy. We do bank strategy workshops with people. Everybody’s heard let’s get the low hanging fruit and over the years I’ve come to believe the low hanging fruit probably isn’t that meaningful. It’s probably just something that we should have been doing already and somebody somehow got overlooked, so let’s just do it and move on. It’s not going to change your world if you just attack all the low hanging fruit.
If you really want to move the needle, if you really want to make an impact, then that’s what you look for. You look for things that are actionable and meaningful and impactful, and that’s where you’ve got to put your efforts and your resources. Something that’s simply nice to have or something that we should have just been doing is not going to make a big difference to everything.
So, I really think Zach what you were saying, you’ve got to focus on the things that really do have impact, that really do have meaning. And regardless of whether it’s cyber security or if it’s trying to get your regulatory frameworks and your policies in order or your bank strategy. What would actually move the needle the most? Once you identify that pick out, say, well, this is what we’re going to do and how we’re going to do it, can we actually pull this off and are we willing to put the effort in to make it happen?
SP: Alright. Well, thank you both so much. This has been very informative. You’ve given us a lot to think about.
LS: Thanks again to Zach Duke and Steven Ward for joining Fintech Focus and thank you all for listening.
SP: You can hear previous episodes of this show and learn more about who we are and what we do at CSI by visiting csiweb.com or subscribe to Fintech Focus wherever you get your podcasts. We’ll be back soon, but until then you can find us on LinkedIn, Twitter @csisolutions, or on our Facebook page facebook.com/csisolutions. See you next time.