Pub. 8 2018-2019 Issue 3

14 O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S Cyber Risks FEATURE ARTICLE BY MICHAEL WHITMER, CORPORATE COMMUNICATIONS DIRECTOR Much like cyber threats such as ransomware, social engineering and phishing, cyber security has also evolved. Many insurance companies, including Travelers, offer risk management services that feature pre-breach cybersecurity expertise. B y their very nature, banks are an attractive target for cyber crim- inals because of the assets they hold and the personal information of customers that they keep. Due to the evolving threats and uncertainty in today’s cyber landscape, it is vital for banks to take the nec- essary steps to guard against vulnerabilities and exposures, and to protect themselves from malicious attacks that can cause serious harm. A single breach can result in significant losses, and the damage is often not limited to lost data. It can extend to loss of customer confidence, financial harm, legal challenges and business interruption. Much like cyber threats such as ransomware, social engineering and phishing, cy- ber security has also evolved. Many insurance companies, including Travelers, of fer risk management services that feature pre-breach cy- bersecurity expertise. These services go a long way toward strengthening the systems that banks use to keep cyber criminals at bay. In the event of a cyber attack, post-breach assistance kicks in, provided a bank has secured appropri- ate insurance coverage. Over the past few years, banks have increased their focus on preparing for a cyber incident – in other words, rec- ognizing that when it comes to a network compromise, “it’s not if, it’s when,” even for a well-defended network. Banks are doing a better job of up- dating their incident response plans, business continuity plans, and disaster recovery plans, at least every one or two years, and they are conducting periodic tabletop exercises to make sure that the right peo- ple respond when an incident does occur. Staying up-to-date on cyber insurance coverage is another important part of being prepared. The tough thing about cy- ber security is that defenders have to be vigilant at all times, while attackers only have to get through the defense once to create havoc. For that rea- son, it’s important to have well-designed change control procedures in place to ensure that changes to network con- figurations and controls do not inadvertently introduce security vulnerabilities. Many network compromises can be traced back to change control procedures that either did not exist or were not prop- erly followed. Implementing – and diligently following – established change control procedures can help prevent the mistakes that may lead to a data breach. How can banks best pre- pare for a potential cyber incident? There are many “best practices” for cyber se- curity, but let’s highlight one that is particularly valuable for preventing complacency. Banks – all industries, real- ly – should rotate their cy- ber-security assessment and testing providers. If the same team is used for penetration testing year after year, they will likely find the same kinds of vulnerabilities year after year. Sometimes a new set of eyes can be beneficial. If a rotating group of trusted cy- ber-security assessment and testing providers consistently reports that a bank’s networks and systems are clean, the bank can feel more confident that nothing important has been overlooked. Being proactive is key – educating employees and put- ting proper risk management systems in place should be a high priority. Banks should work with an independent insurance agent to identify coverage to manage potential cyber exposures and ensure that employees are exhib- iting behaviors that limit cyber risks. Finally, banks should utilize resources such as Travelers.com/cyber to help understand and navigate the growing threat of cyber risks. n