The financial industry can consider it a sure thing that cyber-risk will grow in the year ahead, and it will hit different segments in different ways. Here are some issues to keep in mind.
Advisors and broker-dealers. The SEC’s Office of Compliance Inspections and Examinations issued a risk alert on cybersecurity in September. The results of OCIE’s first round of cybersecurity exams were published last February, indicating that BDs were farther along than RIAs. The new round of exams will focus on six areas: governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.
According to a recent report from External IT, an IT outsourcing firm that specializes in the financial industry, neither advisors nor broker-dealers are well prepared. The report, “Financial Services Firms Face Further Scrutiny of Their Cybersecurity Practices: Is Your Firm Ready?” highlighted some examples.
Firms tend to be more reactive than proactive, according to the report, particularly regarding IT security. Failure to track data, keep records of emails and other activities or plan for breaches could mean a firm misses attempts at cyber-intrusion.
Calling in outside IT consultants can bring its own pitfalls if those experts aren’t sufficiently vetted, or if the IT firm doesn’t focus on financial firms and fails to recognize financial compliance requirements.
The use of outside devices by employees is also problematic. The best security in the world won’t help if there’s no way to track data or emails stored on or originating from an employee’s personal laptop or other device.
Then there’s cybersecurity incident response — something most firms lack. Although most firms do have “checklists and procedures to immediately invoke when disaster strikes IT systems,” the report said, “the SEC wants firms to have a response plan for data breaches and cyberterrorism.” One part of that, the paper said, should be insurance coverage.
Insurance. Insurers are looking at the effects of cyber-risk in a number of ways, from the danger of breaches at the businesses they protect to the opportunities the threat presents to create and offer new products.
Hackers have already proved adept at punching holes in financial firms’ firewalls, as became clear in November with indictments against three men the Justice Department said stole data on some 100 million customers of financial firms including JPMorgan Chase, E-Trade, Scottrade and even Dow Jones.
But retailers and health insurers are in the crosshairs as well, and breaches in those sectors have sent premiums soaring. Any sector that handles large amounts of personal data can be a target.
But as insurers wade deeper into insurance products for cyber intrusions, the scale of potential damage just keeps growing — both reputational and financial. Just ask any of the retail establishments that have suffered a data breach, such as Target, how quickly they bounced back from data theft.
Coverage is getting more expensive, but also harder to obtain, with sharp increases in premiums and deductibles, coverage limitations and tougher underwriting requirements. While reports say that retailers and health care firms currently face some of the biggest hurdles in getting covered, insurers themselves face major cyber challenges.
North Dakota Insurance Commissioner Adam Hamm, chair of the National Association of Insurance Commissioners’ Cybersecurity Task Force, was quoted at a meeting of the American Academy of Actuaries calling cybersecurity “arguably the single most important risk” the insurance industry faces, since it offers hackers “treasure chests of personal information.”
Credit analysis. Moody’s Investors Service pointed out in a November report that the material threat of cyber-risk puts it on a level with other extraordinary risk events, such as a major catastrophic weather event, in credit analysis.
“Cyber-risk means different things for different sectors,” Jim Hempstead, associate managing director for Moody’s and lead author of the report, said in a statement. “While we do not explicitly incorporate cyber-risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those stress scenarios.”
— Read “How to Stop Cyber Bandits and Boost Your Business Security” on ThinkAdvisor.