As the threat from fraudsters, hacktivists and hostile governments increase, financial institutions need to upgrade their cyber defences constantly. But what - if any - protection can the insurance sector offer?

In less than a decade, cyber risk has grown from an emerging and little-understood risk to a pressing concern on a global scale. The risk is attracting board-level attention across industries and, in particular, at financial institutions (FIs).

A significant factor in cyber risk is that it encompasses various risks. An attack can result in, for example, reputational damage, business interruption, regulatory penalties and loss of critical information. Furthermore, cyber attacks are increasing in frequency and sophistication.

“There is a proliferation of people who have the capability to carry out a cyber attack, which is a big part of the problem,” says James Hatch, director of cyber services for BAE Systems.

Individuals actively involved in cyber attacks on FIs are, however, motivated by various different reasons, which dictate the level, type and scope of the risk they pose.

Retail banks, for example, have long been targets for criminals motivated by financial gain, and cyber space provides a platform from which they can infiltrate banks and extort money. Similarly, insider fraud is an ever-present concern across the financial sector, as are state-sponsored attacks and crimes motivated by political and ethical reasons.

Insider and outsider threats

Massimo Cotrozzi, assistant director of EY’s fraud investigation and dispute services team, says about 90% of fraud is committed using cyber methods. “In an increasingly digital world, where processes are carried out through computers, risks arise around security and hacking,” he explains.

Although FIs have mechanisms to detect fraud, he says many do not have a system that correlates internal and external threats that could be working in tandem.

“Organisations may not know if someone is doing something on the outside that corresponds to malicious activities on the internal network or totally legitimate activities, inside or outside, that, when linked together, make for a malicious outcome,” Cotrozzi says.

An extension to this aspect of cyber risk is human error. Failing to follow security protocols and ordinary human fallibility can damage internal systems and put valuable company data at risk, according to Hatch.

“Humans are a key element to cyber risk; not only the known criminals and insider crime, but also people going beyond what they need to do and being careless or misguided,” says Hatch. The risks attached to insider and outsider cyber crime and human errors are primarily related to the potential for financial losses. In April 2013, for example, a well-known UK bank reported losses of €1.67m from customer accounts after a gang member disguised as an IT engineer covertly installed hidden cameras in its computers.

Individuals and groups motivated to attack FIs for ethical or political reasons pose a different threat. These individuals, known as hacktivists, have a more antagonistic approach and are more likely to draw attention to their activity in the hope that it will inflict significant damage to an organisation’s reputation.

Hacktivists may target FIs with the aim of weakening the critical infrastructure of national and global economies. It is an industry-wide threat to which organisations, particularly in major economies, need to be alert.

“Banks and insurers have been at the front of this. Now other parts of the finance sector must worry about their cyber security to a greater degree,” says Hatch.

In a similar vein, state-sponsored cyber attacks are a growing concern among critical infrastructure firms. Indeed, geopolitical tensions between the West, Russia and China, among others, are quietly increasing the risk level for FIs.

Recent attacks on several major US banks, including JPMorgan Chase, aroused suspicions in the media that the culprits may have been based in Eastern Europe. Although no official statements were made to support such assertions, the FBI is now investigating these incidents.

Earlier this year, the US and China became embroiled in a dispute regarding cyber espionage, with each side accusing the other of spying through cyber space. It puts FIs in an increasingly precarious position and enhances their status as potential targets for politically motivated and state-sponsored hackers.

“Many of our customers are becoming more interested in the political risk that is related to the cyber space,” says Hatch. “An attack may have nothing to do with the organisation, but it may get caught in the middle of political cyber warfare.

“Larger organisations are now setting up intelligence capabilities that are closer to what traditionally has been done by national security than commercial business, although different techniques and legal frameworks apply for them.”

The increasingly broad scope of cyber exposures for FIs arguably presents insurers with an opportunity to support clients. However, the market appears to be stuttering in its attempts to produce viable risk transfer solutions.

In our survey, 53% of respondents said cyber risk was either difficult or impossible to insure and 51% said the same of system failure.

Insurers may be taking the wrong approach, according to Hatch, who says many are focusing too heavily on business interruption through cyber means. Nonetheless, he remains confident the market will produce valuable risk transfer products in the near future.

“The insurance sector will provide products where there is a market that needs them. As the risks evolve, I’m sure the insurance market will evolve with it,” he says.

In the meantime, it is important that FIs optimise their risk management capabilities and minimise cyber risk exposures.

“A key part of cyber risk is clarity of responsibility,” says Hatch, but, he adds, delegating the responsibility of cyber risk management among the workforce is possible only when the organisation’s exposures are fully understood. That means considering various seemingly unrelated factors such as a firm’s corporate history, geographic location, brand position and internal system structure. “Once you understand the shape and size of a risk, you have the basis on which to make decisions,” Hatch says.

A common mistake for many FIs is failing to account for unknown cyber threats, according to Cotrozzi. He says risk assessments often fail to include unknown threats, such as new types of cyber attacks or techniques used by fraudsters that are so far undetected.

“This is why firms must perform a risk analysis and a threat analysis,” says Cotrozzi. However, detecting and preventing cyber threats is only part of managing the risk.

Prevention is key

“The increasing number of cyber attacks means firms must be more prepared to deal with their consequences, as well as trying to prevent them,” says Hatch.

Cotrozzi agrees, giving a frank assessment of the situation for FIs: “FIs should assume their systems will be compromised and breached. They should assume someone will try to defraud them and that they need to monitor the indicators that will bring it to their attention.

“Every threat cannot be prevented and 100% of breaches cannot be fully remediated. Sometimes, it’s too complicated.”

FIs depend on the efficiency and security of digital communication and cyber space, where weaknesses can damage a firm’s reputation significantly and leave it vulnerable to financial losses.

“For FIs, their safety and trust is very important and reputation damage is one of the main consequences of cyber losses or incidents,” says Hatch. For this reason, FIs are prime targets for political hackers.

At the same time, cyber space has become a testing ground in which criminals can not only innovate but also refine their operations.

As a result, FIs must be prepared to invest consistently in improving cyber defences while engaging in a seemingly never-ending battle with hackers, hacktivists and fraudsters.