It’s 3:00 on a Wednesday. Your institution is humming along, like a well-oiled machine, everything working as it should. Suddenly, your head of IT rushes into your office and announces that your bank’s computer infrastructure was the subject of an attack and your data files were in fact hacked. Your heart sinks as you realize the magnitude of what you now face. Over the coming days, you must deal with angry customers, negative press and bank regulators, all who are digging into how your institution was unable to thwart this attack. It’s bad, really bad. Once the immediate dust settles and you begin the remediation of all of the negative consequences for the breach, you reach out to your insurance company to discuss how they will be providing remuneration for the costs associated with this incident. As you begin this process, you realize quickly that the insurance coverage you believed would cover the estimable costs of a breach are not sufficient. And it was not the fault of the insurance company. Your organization failed to adequately plan for a breach and thus, follow the proper procedures for prior and immediately after the breach that trigger the insurance coverage. Perhaps a mistake that equals hundreds of thousands of dollars lost. Think you are protected from the above example? Perhaps. But a thorough examination of the issues related to a data breach are worth reviewing. Let’s break this down into multiple areas for review and discussion. I will delineate them as follows: What you can certify are in place prior to a breach What you do immediately upon discovery of a breach What type and amounts of Cyber coverage you have purchased How to address “3rd Party” breaches Let’s start with what you must have in place prior to any breach occurring. Your insurance carrier should provide you with a checklist or instructions regarding the protective elements that must be in place in order for your insurance coverage to be considered “active”. Here are some examples (Note: this is not an exhaustive list, your insurance partner will provide you a comprehensive list): Certify that your FI has adequate Firewall and other hardware / system software Demonstrate that the appropriate level of firewall monitoring is performed Demonstrate that appropriate procedures are in place for any remote access to your FI’s network Demonstrate that software updates are current Demonstrate that virus protection is in place and up to date; all inbound emails are checked for malware and endpoint detection Certify that Multi-factor Authentication is enabled and required Demonstrate that employee devices are adequately controlled by IT and covered by corporate level usage rules and virus protection Certify that commercially reasonable security procedures as outlined by FFIEC for all customer facing applications are in place and followed As soon as you have encountered a breach, there are multiple things that need to be implemented right away. First and foremost, you must have a detailed Incident Response Plan. Could you put your hands on your Incident Response Plan right now? If not, you are truly not prepared for a Cyber breach. The Incident Response Plan will spell out all of the elements that are highlighted in this article and much more. It is critically important that you not only have a comprehensive incident plan but that you ensure that everyone will act in synch should a breach occur. The list below is also not comprehensive but the types of items that your Incident Response Plan would cover. Note: You should regularly drill on the Incident Response Plan in the same way you drill for a robbery or disaster planning. Consider: A hotline for calls is immediately established and individuals who are trained to answer questions related to the breach are handling these calls. As word gets out, customers will be calling and this is the main reason to have this call team assembled and trained to reassure customers. Immediate and proactive PR for all stakeholders is critical. Would you want someone unprepared to have a reporter stick a microphone in their face and start asking questions? For that matter, would you be prepared to have a microphone stuck in your face? You may want to consider having some PR training on handling a breach or disaster situation. Have a designated spokesperson assigned and direct all inquiries to that person. You probably would assume that your head of IT would be handling the investigation but it is good idea to designate a team of individuals that might also include some non-IT staff as well as outside consultants to provide the forensic analysis of the breach. Don’t guess what happened, know. You will further need to assess if whatever technical remediation you have implemented is actually working and fixes the problem. This might also necessitate your bringing in outside expertise to so certify, as customers may want to hear that someone outside your organization has examined your fix and declares it working. You will need to assign a team to provide external communication to affected stakeholders. This represents your outbound communications about the breach and is primarily directed to affected customers. Do you have pro-forma emails, letters and other relevant communication already written than can be easily modified to adjust to the specifics of an actual breach? Who is responsible for ensuring that the external communication is properly executed? You should also consider how you are going to communicate to customers not affected by the breach. If it is public knowledge that there was a breach and you don’t speak to unaffected customers, they will assume they were affected and you just ignored them. Don’t do that. Say the breach is one where your data is encrypted and there is a Ransom demand. Do you have someone designated to negotiate on this specific situation? You can say you would never negotiate with someone who has kidnapped your data, but we have seen recent examples of companies who did pay the ransom to retrieve their data. This is another area where experience matters and your insurance company should be able to provide a resource to negotiate on your behalf. Contact your insurance carrier immediately. Communication early with your insurer will enable them to effectively assist you in all of the remediation steps. The above list is by no means comprehensive. By sitting down with your insurer, you can form a specific plan to ensure that your institution has in place the systems and processes to avoid a breach. This same diligence prior to a breach will ensure that if a breach occurs, you will qualify for reimbursement by your insurer. The type of insurance you purchase is critical as are the policy limits. There are a number of factors to consider here as well: What is the total annual limit for a Ransomware event? What coverage exists for reissuance of cards or public relations both pro-active and post-release? Will you discover that all of this comes out of the total limit afforded for Cyber protection, or can it be a separate limit to protect the institution? Any other breach responsibilities that your insurance agent would document for you. Having this detailed conversation with your insurer is critical to making sure that there is no stone unturned related to your pre-breach activities that align with your insurance coverage. Finally, what if a “dependent vendor” is breached and that breach affects your institution or customers? What are the specifics of your Cyber insurance coverage as it relates to a 3rd party with who you do business? What, if any, are the limits related to costs that you incur to remediate a 3rd party data breach? Or, is it possible that the policy that you have doesn’t even cover this type of breach at all? In today’s technology environment, all organizations depend on 3rd party vendors that may have access to non-public bank information. All of this begs the question; Do you have the right insurance partner? You need an organization that will work collaboratively with you to craft a specific Cyber Security plan that includes pre-breach protective elements, as well as a systemic and comprehensive set of resources of assistance to you in the case of a breach. Maybe you feel confident that your insurer is that partner. FNBB has an insurance subsidiary that can evaluate your current state of Cyber readiness and your coverage to advise as whether you are adequately protected. Your overall Cyber program should be at the forefront of periodic board insurance reviews. Comparisons of coverage options and a thorough review of any current Cyber deficiencies are the fiduciary responsibility of the bank directors and management. It’s possible that your institution has been simply “checking a box” regarding your Cyber coverage (and candidly, some regulatory entities do the same thing). But, asking the tough questions about whether your bank can withstand the storm that a breach delivers and if insurance limits provide appropriate coverage, can at the least provide peace of mind and avoid the losses associated with a breach event. FNBB can provide a free evaluation of your current Cyber preparedness and discuss appropriate coverages. For more information, contact Delvin Irwin at firstname.lastname@example.org or 601.953.8562.