CBIZ Cyber Risk Management Expert: Effective Solutions for Banks, Part One

Kelly Coughlin:

Greetings, this is Kelly Coughlin. A pack of wolves lurked near the sheep at pasture, but the dogs kept them all at a respectful distance and the sheep grazed in perfect safety. But now, the wolves thought of a plan to trick the sheep.  “Why is there always this hostility between us,” they said.  “If it were not for those dogs who are always stirring up trouble, I’m sure we should get along beautifully.  Send them away and you will see what good friends we shall become.”  The sheep were easily fooled.  They persuaded the dogs to go away and that very evening, the wolves had the grandest feast of their lives. 

 

Announcer:

Kelly Coughlin, CEO of BankBosun, a management consulting firm helping banks C-level offices, navigate risks, and discover reward. He’s the host of the syndicated audio podcast bankbosun.com.  Kelly brings over 25 years of experience with companies like PWC, Lloyd’s Bank, and Merrill Lynch.  On the podcast Kelly interviews key executives in the banking ecosystem to provide bank C-suite offices risk management, technology, and investment ideas and solutions to help them navigate risks and discovery reward.  Now your host, Kelly Coughlin. 

 

Kelly Coughlin:

Hello everybody, this is Kelly Coughlin, CEO of BankBosun, helping C-suite bank executives navigate risks and discover reward.  Today is the first in a series of five podcasts on the subject of cyber security and banking.  Cyber hackers today rob banks much more sophisticated than the days of say Jesse James.  And certainly, they’re much more intelligent than Isaac Davis who committed the very first bank robbery in the US in the year 1798.  Davis robbed the Bank of Pennsylvania at Carpenters Hall in Philadelphia, PA.  He was apparently so stupid that he robbed the bank of over $162,000 and then deposited the funds in his own account at the same bank.  Not very smart. He got busted. 

 

Today’s cyber pirates aren’t that stupid.  They attack the bank’s web application.  They shut down their site for ransom with denial of service attacks. They skim credit and debit cards. They engage in privilege misuse, crime ware, just to name a few.  It’s a huge threat to banks. And the reason I’m putting so much attention and focus to it at BankBosun is the expectation is that more bad guy resources will be directed to community and regional banks in the future for two primary reasons.  Number one, the Willie Sutton factor.  When he was asked by the FBI, “Hey Willie, why do you rob banks?”  He replied, “Because that’s where the money is.”  Then, a second reason, insufficient resources to prevent and detect.  If lower net interest margins and higher regulatory burden weren’t enough, then the additional expense required for cyber security risk management is enough to put you over the top. 

 

So that leads me to my guest for today.  His name is Kris St. Martin.  He’s vice president bank services program direction for CBIZ with over 100 offices and 4,000 associates in most of the major metropolitan and suburban areas throughout the US.  CBIZ delivers financial and employee business services to many organizations of all sizes as well as individual clients by providing national expertise combined with highly personalized services.  CBIZ is a leader in cyber risk including cyber insurance, IT audit, penetration testing, mobile application assessment, digital forensics, cyber risk management, and Kris is a cyber insurance expert, and is a member of the CBIZ national cyber risk management team.  He has more than 23 years of direct bank experience and he’s held many positions in banking.  He’s been providing risk mitigation services since 2009.  So, with that introduction, Kris, are you on the line there?

 

Kris St. Martin:

I am.  Thank you very much for that introduction, Kelly. 

 

Kelly Coughlin:

Did I cover all the relevant points in your bio, Kris?

 

Kris St. Martin:

You were very, very thorough.

 

Kelly Coughlin:

Excellent, I like being thorough.  Now, I didn’t include any personal background in there.  Do you want to start off with telling us who you are, family, where you live, that sort of thing?

 

Kris St. Martin:

Sure, absolutely.  As you mentioned, I was in banking for over 20 years.  I live in Plymouth, Minnesota, a suburb just west of Minneapolis.  In my banking days, I was involved in community banking in Plymouth for 20 plus years.  I worked First Bank Systems, which later became US Bank.  I was very familiar with a regional bank becoming a large national bank.  Went to a very small community bank, worked there for four years in my hometown, opened up a branch for them for a couple of years, and then became part of the de novo bank experience in 1999.  We opened up the bank in 2000.  Lived in the same community, Plymouth, for 20 plus years.  Wife of almost 26 years.  Three kids, one is a wildland firefighter; one’s a senior at the University of Minnesota going on to the law school next year; and my daughter has graduated with a marketing degree recently, and works for a hotel chain in the twin city.

 

Kelly Coughlin:

That’s terrific.  Let’s dig right into it, Kris.  Subject today is cyber risk, cyber risk management in the banking ecosystem.  Let me just start out with a very general question here.  From your perspective, what are the cyber risks facing banks today?  What are the key risks that you see they face today?

 

Kris St. Martin:

Well, Kelly, you mentioned a number of them in your introduction and they include probably the largest frequency risk today is the ransomware by cyber extortion.  For the last few years, that was not as prevalent in the financial institution world, because financial institutions were deemed as a little better at backup than other industries such as retail and medical.  The very nature of those are locking up your information and if you haven’t backed up for a few days, that could be very, very costly. So they paused on the banking world for a couple of years, and now it’s getting hit very, very hard.  The other industries have tightened up on their backup procedures.  They tend to be smaller amounts; anywhere from $500 to $50,000.  They can be larger.  They tend to be quick hits, lock up your system.  Data breach is obviously a big one in the banking world, because obviously banks hold a great deal of data. Theft of money is always a big one. 

 

We’ve seen several cases recently where there was some type of hack leading up to obtaining passwords and wiring money out.  In addition to the types of things that are happening, banks are having to deal with, as you mentioned, the regulatory aspect of that.  The regulators are all over this topic and have great expectations when they’re coming in for exams.  Cyber insurance is part of that, where they really didn’t look at that too much in the last couple of years before that.  Now, they’re wanting to know what type of cyber coverage and all your cyber procedures are so it’s put a great deal of burden on them.  The reputation risk for having your information active is enormous to both your reputation, your brand, and litigation from a number of sources if you could have your data breached can be from clients who’ve had their data breached and it could be as more of like a class action if you had 50,000 records breached.  They could all ban together and sue, but it could also be if you’ve lost one really critical piece of data. 

 

Let’s say it was a critical business plan of one of your clients that you obtained in conjunction with a loan request.  Who knows what kind of harm that could cause, if that got in the hand of a competitor?  There’s also some litigation based on what is showing on social media.  Banks often encourage their employees to be on LinkedIn and other social medias to increase the bank’s presence.  There are other things that bankers are on that are not necessarily done with bank approval like Facebook.  So, somebody could be on Facebook and note on there, they’re an employee of XYZ bank and put something disparaging about one of the competitors on there.  It wasn’t necessarily a bank approved type of a thing, but they can be pulled into the litigation because of the reference to the bank.  So there’s a wide variety of cyber risk and financial risk for banks out there right now.

 

Kelly Coughlin:

Now that social media example, that isn’t part of cyber security risk. That’s more reputational risk, other financial risk, but a bank’s employee participating in Facebook for instance, that doesn’t open up risks for cyber-attack, correct?

 

Kris St. Martin:

Not from a cyber-attack, but it can be part of your cyber risk management program.  There’s great expectations from regulators that you are training your employees because there’s a financial risk that can come back to the bank.  So it’s part of your cyber risk management program at the bank not necessarily directly from a hacker. 

 

 

 

 

Kelly Coughlin:

Okay.  You guys are in the business of helping banks insure the risk.  In the event of a cyber-attack, they buy an insurance policy that covers their financial risk in the event of some sort of cyber-attack, correct?

 

Kris St. Martin:

Yeah. 

 

Kelly Coughlin:

Now, is it fair to say that four years ago cyber risk management was more or less a footnote of a P&C policy or an E&O, D&O type policy?

 

Kris St. Martin:

Right and there’s just only a few remnants of that.  So, for example, in your general liability policy there were many areas in there that could have provided coverage 10 years ago under what’s happening in today’s environment.  Over the years, the carriers have been excluding on your D&O policies, directors and officers liability policies, your professional services policies as well as your general liability policies, anything that’s related to cyber risk.  So today, most directors and officers policies and general liabilities policies exclude anything related to cyber risk.  They push everything towards a cyber policy with only a few exceptions.  The exception to that is in their directors and officers policy, if you look at what happened to Target, the Target breach about three or four years ago, after the smoke cleared the directors and officers were sued for lack of oversight of the cyber risk management program.  That’s where kind of a cyber-related type of thing can still be pulled into a D&O policy, but specifically if officers and directors are named based on decisions made by those directors and officers.  The D&O policy is not going to pay for anything that’s related to your expenses associated with the breach.  In the case of theft of money through hackers, where there is a theft of money, that’s treated under a crime bond policy. So the other exception is if you had a hacker come in, obtain codes to malware or whatever they use, eventually wire money out that’s not retrievable, that actual cash loss, whether it’s the bank or your client, is treated and handled under the bond.  So those are kind of the two remaining policies where there is some related coverage. 

 

Kelly Coughlin:

Okay, but business interruption, for instance, let’s say it’s denial of service, which is business interruption, would that be specifically excluded from the other P&C policy that would cover interruption from fire or water, that sort of thing?  Is that specifically excluded? 

 

Kris St. Martin:

Yes and with other causes of business interruption, that is included in your traditional package policies.  That has historically been part of those policies, but with a cyber interruption, again, those policies now exclude the business interruption reimbursement and pushed it back to the cyber policy.  If you’re a retailer selling products online and your website goes down for three weeks, it’s very easy to document the lost sales based on a history there.  In the banking world, your primary revenue is going to be your net interest margin, so your loan income is still coming in regardless if your system is down or not.  So the classic business interruption policy is going to pay for the lost income. It’s good to have it in your policy because you never know, but there’s not a lot of claims in there in the banking world because it’s difficult to demonstrate you actually lost income.

 

Kelly Coughlin:

Yeah, I suppose it’s mainly reputational damage, if people go to the site and they can’t access it, and the media gets wind of it, then that’s more harmful than loss of any sales on any given day, correct?

 

Kris St. Martin:

Yes, that is correct.

 

Kelly Coughlin:

So this is a whole new policy that banks now have to include in their portfolio of insurance policies.  That’s good for you in that it’s another policy that you can earn fees on.  Bad for them, it’s another policy that they have to pay fees on, but that’s the brave new world.  Is it fair to say that regulators today are looking for and demanding specific policies related to cyber insurance? 

 

Kris St. Martin:

Yeah, it’s interesting from the regulators.  They will come in and they will look at your insurance policies, but there’s very little that they absolutely require on insurance.  The way the regulations are written under there is you don’t necessarily have to have insurance, but you’ve got to convince us that you have a way of self-insuring, or what your plan is.  A bank that’s extremely well capitalized can go in without any insurance policies if they want and say we’re going to self-insure for those.  That’s not very common. So the regulators would come in, they don’t require it, but they will look through the insurance policies and it could be a critical comment, if you didn’t have insurance.  When the regulators come in and look at the cyber program and IT in general right now, the insurances went from low business access loss to a very important part of your cyber risk management and how your IT exam is going to come out.  Again, it’s not a requirement, but it’s going to fall into how you’re rated and the components of the rating for that whole area.  They know that if you do have a cyber breach and you’re making decisions, and you need to make fairly timely decisions, because the harm for not acting quickly exponentially get worse.  Not only financially and reputation wise, so it’s good to know that you would have an insurance available to help you make good, accurate, quick, timely decisions and not make bad decisions based on we don’t have a funding mechanism outside of our own capital.  It’s a very distinct part of that exam, but not required.

 

Kelly Coughlin:

Okay.  If I go back to my consulting days of internal controls, you’ve got three categories of controls; prevention, detection, and correction.  Insurance has been more or less in the correction category.  It’s a way to make people whole, make the company whole.  It really doesn’t prevent and detect things.  Those are internal controls that the company has to adopt and use insurance on the correction side.  As part of the insurance underwriting process, is there any sort of work or effort being done by insurance carriers that helps banks on the prevention and detection side in terms of adopting best practices among the industry?  Do they give discounts in premiums if they have best practices, or not?

 

Kris St. Martin:

I think it’s fairly early on in that world with carriers right now, but if you look at an application from a carrier and try to say okay, why are they asking that, a lot of it gets at the best practices that they’re asking.  They’re going down that path and by the way Kelly, the cyber policies today are not viably priced as of yet in the banking industry.  If you’re a community bank under let’s say a half billion, you can probably get a $3 million limit cyber policy.  Now, there’s going to be different bells and whistles there, but you can probably get something in that range for $8 to $12,000 in that range, for $3 million.  We’ve got small little banks that they’re buying them for million dollar coverage for $3,000.  They’re a pretty good robust policy.  Where underwriters are looking at pricing, they can fairly quantify, if a data breach happens based on a number of records, personal data records that you have, there’s different published amounts of somewhere around $30 per record is going to be what your cost is out of pocket.  They can fairly well quantify the costs to immediately get through the data breach part of it and the carriers are fairly comfortable with the pricing on that.  Where it really gets difficult, is more on the liability side; who’s going to end up suing you; what regulatory body is going to put a fine on you; and that is a really ever-evolving market. 

 

As an example, going back to the critical piece of data, if you lost somebody’s business plan, it gets into the wrong hands, that’s hard to quantify.  It all depends on the circumstances.  It could be a half-million dollar lawsuit, it can be a $10 million lawsuit.  So that’s evolving.  Getting back to kind of your question on the underwriting, the first two things that a cyber underwriter will look at in the big picture of things is number of records that you have.  Records are generally defined on the consumer side, if there’s a social security number associated with a name of loss, that’s automatically going to qualify as triggering a data breach for that particular record.  So you look at the number of records both personal and business, that you hold, and that will be on the application and that will be probably the biggest thing that will set the pricing.  A bank may have 100,000 accounts, either accounts that are closed or current ones, but they may have 25,000 individual individuals who opened all of those accounts.  So the number of records would be the individuals with their social security number and how many of those do you have at the bank.  Historically, if you are retaining that information in current accounts, that’s the primary driver with the cost of cyber insurance right now. 

 

They’re going to look at the annual revenue of the company just to give them a scope of the size and breadth of the company.  It’s not perfect, but it gives them an idea of obviously a bigger company versus a smaller organization, because it’s got more things going.  They have more contracts.  They have more data.  In general, more stuff going on that could potentially fall into the cyber world.  Then, you look at a typical application and look at some of the questions that they’re asking.  Some of them would be maybe a complete take out of hey, we don’t want to write this policy.  Some of them are going to be a little much less alarming, if you had answered no. But if you look at it, there’s a reason they’re asking those questions.  It’s the overall risk to the insurance company.  Same thing for the bank. 

 

For example, one question that’s on many applications and I’ll read one, “Does the applicant restrict employee access to personally identify information on a business need to know basis?”  That’s a pretty general question and most banks are going to say, yes, we make sure, we try to make sure that people can have access to different areas on the computer network based on what they need it for, kind of a need to know type.  That question, I think most banks are going to say yes to that.  Who wouldn’t say that?  But they always want you to kind of think that through and really go back and review that.  Hopefully, if I’m looking at that, not only am I going to say well yeah, but hopefully that causes you to go back and really review that because they’re asking that for a very good reason.  There’s claims history behind those questions.

 

Kelly Coughlin:

Back to my prevention, detection, correction internal control model. On the prevention and detection internal controls, what I think I hear you say, let’s say we have a continuum of one being no internal controls and five being terrific internal controls.  In the underwriting process, if the bank comes in at a one or a two, they’re going to get rejected.  If the bank comes in at a four or a five, they’ll get accepted, but they’re not going to get any discounts. They’re not going to get rewarded for their superior internal control structure, but they’ll get accepted.  So if they’re a 3, 4, 5, then they get lumped in terms of the same pricing, but they won’t get rejected.

 

Kris St. Martin:

Yeah, I think that’s a fair statement.  What will happen over time as there is more and more claims history with these carriers, they’re going to be able to get even more defined on that type of thought process.  If they know that, in my example that I talked about under being able to restrict your employees to only certain applications within your system. If that became more and more of a claim problem for carriers, they’re probably going to dig deeper into that and actually ask more and more questions beyond that and have you document that and also base the pricing on that more and more.  So yes, there is definitely some underwriting based on your current procedures in place.  I think just based on where claims are going, there’s going to be more and more of that.

 

Kelly Coughlin:

What’s your expectation in terms of likelihood on the pricing part?  Do you think they’re going to increase or decrease, or stay the same over the next 12 months and then even farther out from that?

 

Kris St. Martin:

Yeah, I think it’s going to be a little bit like the hurricane effect in general P&C insurance.  Whenever there’s a big hurricane, that’s going to affect everybody’s homeowner policy for a couple of years.  Everybody will see the cost of premiums will spread out a little bit.  I think you’re going to see that in cyber.  Right now, there are a number of claims out there, but it’s not to the point where I don’t think that the premiums the carriers are changing isn’t supporting it.  The carriers are a profit business like anybody else. They try not to pay out more than 50% of what they charge in premiums on claims, kind of a rule of thumb and then the other 50% is profit and paying for the rest of your operation. When you see that pay out starting to exceed that kind of industry percentage, that’s when you start seeing the premiums go up. That would just take enormous breaches or volume of community bank breaches, then it’s going to be all claims related. 

 

So, as of right now, based on what the pattern of claims are, it should be pretty steady, but with a caveat that it wouldn’t take much if there’s a couple of alarge financial institutions or a bunch of smaller ones, you’re starting to get into hundreds of millions of dollars of claims, that could push prices up in a hurry.  The other part to that is there’s also a future expectation of risk of what’s going on, they can push it up also.  Even if the claims haven’t quite hit yet, if there is a more and more devious way to harm banks than before and that comes out, and there’s a fear of that, you may see some underwriters starting to push the premiums up in anticipation of that.  They don’t have any reason to believe right now, based on what’s been happening, that we’re going to see premiums drastically increase in 12 months.

 

Kelly Coughlin:

Well, that’s it for part one of my interview with Kris St. Martin, a bank cyber security expert at CBIZ.  In part two, we’ll talk more about what drives premium costs and once a bank experiences a cyber intrusion then what are the actual types of costs the bank can insure, and how to make sure that these costs are recoverable in an insurance claim. 

 

Announcer:

We want to thank you for listening to the syndicated audio program bankbosun.com.  The audio content is produced and syndicated by Seth Green, market domination with the help of Kevin Boyle.  Video content is produced by The Guildmaster Studio, Keenan Bobson Boyle.  Voice introduction is me, Karim Kronfil. The program is hosted by Kelly Coughlin.  If you like this program, please tell us. If you don’t, please tell us how we can improve it.  Now, some disclaimers.  Kelly is licensed with the Minnesota State Board of Accountancy as a Certified Public Accountant.  The views expressed here are solely those of Kelly Coughlin and his guests in their private capacity and do not in any way, represent the views of any other agent, principal, employer, employee, lender, or supplier.