onebeaconpro.com t f Cyber Liability Insurance Coverages and Trends Affecting Community Banks Craig M. Collins President, Financial Services OneBeacon Professional Insurance
onebeaconpro.com t f LEGAL DISCLOSURE The diverse views expressed are solely those of the respective presenters and are not those of OneBeacon Professional Insurance or any of its affiliates.
onebeaconpro.com t f WHAT DO THESE HAVE IN COMMON?
onebeaconpro.com t f THE SCARY STUFF The Scams: Malware-infected software (mainly keystroke viruses) Tech support scams Phishing (fake from a trusted source) Spear phishing ( from a trusted source) Smishing (compromising your smart phone) Traditional social engineering
onebeaconpro.com t f THE SCARY STUFF The Trends: One in seven American networks has malware Phishing s have a 70% “open” rate Gas pump skimmers are now “Bluetooth enabled” Majority of wire fraud activity comes from outside the US Estonia, Latvia, Russia, Ukraine, China, African Countries Political cyber attacks China, Iran, Russia, North Korea (US alleged creator of Stuxnet) Technological innovations in banking – New ATM machines, Online banking, remote capture, ACH, Check 21, etc.
onebeaconpro.com t f INSURANCE COVERAGES Financial Institution Bond (1 st Party) Electronic / Computer Systems Fraud (includes online funds transfers) Telefacsimile, and Voice Instruction Transactions Coverage Cyber Liability Cyber Liability (3 rd Party) Intellectual Property (3 rd Party) Breach Event Expense (1 st Party)
onebeaconpro.com t f FINANCIAL INSTITUTION BOND Coverages: Electronic / Computer Systems Fraud – Protects the Bank (1 st Party) for loss due to theft occurring within the Bank’s own Computer System. (A direct “hack” of funds in your care/custody/control within the bank). Example:
onebeaconpro.com t f FINANCIAL INSTITUTION BOND Coverages: Telefacsimile, and Voice Instruction Transactions Coverage – Protects the bank for loss due to a fraudulent Fax, , or Voice Instruction. However, to have Financial Institution Bond coverage, the bank MUST: Have a pre-arranged written agreement with the customer, authorizing transfers AND If the transfer is larger than the bank’s bond deductible, there must be a call back to the customer verifying the transfer request.
onebeaconpro.com t f FIRST COMMERCIAL STATE BANK FRAUDULENT WIRE ATTEMPT Wire Transfer Included: A written wire transfer agreement with customer Authorization Form Call Back Procedure
onebeaconpro.com t f FIRST COMMERCIAL STATE BANK EXCHANGES: From: Johnson, James Sent: Tuesday, August 26, :24 PM To: Hartman, Sarah Hello, I need to make an international wire transfer, please forward a copy of the form I need to complete. James LAW OFFICE OF JAMES JOHNSON TELEPHONE- (816)
onebeaconpro.com t f FIRST COMMERCIAL STATE BANK From: Hartman, Sarah Sent: Tuesday, August 26, :33 PM To: Johnson, James Hello, Attached is the wire transfer form. As you know since this is not an “In Person” wire transfer, Henry will have to confirm with you by phone once the form is received. He is in a meeting right now but should be out shortly. Sarah First Commercial State Bank From: Johnson, James Sent: Tuesday, August 26, :46 PM To: Hartman, Sarah The completed form is attached. Are you available in the office? I am in a meeting, but I can be reached on my cell at and I just want to know if you are available in the office. James LAW OFFICE OF JAMES JOHNSON TELEPHONE- (816)
onebeaconpro.com t f FIRST COMMERCIAL STATE BANK From: Johnson, James Sent: Tuesday, August 26, :15 PM To: Hartman, Sarah. Sarah, Are you available in the office? I can be reached on my cell at LAW OFFICE OF JAMES JOHNSON TELEPHONE- (816) From: Baker, Henry Sent: Tuesday, August 26, :33 PM To: Johnson, James James, I am out of my meeting and I will give you a call to confirm the wire transfer. Henry First Commercial State Bank
onebeaconpro.com t f FIRST COMMERCIAL STATE BANK Fraudulent Attempt: International wire transfer request received Policy and procedures were followed correctly The fraud was prevented!
onebeaconpro.com t f CYBER LIABILITY INSURANCE Coverages: Cyber Liability is designed to protect the bank from losses/litigation coming from 3 rd parties (mainly customers, suppliers, other banks, etc.) due to an error/omission/breach of duty in which the bank is legally obligated to pay.
onebeaconpro.com t f CYBER LIABILITY INSURANCE Coverages: Parts of a Cyber Liability Policy Basic Cyber Liability (3 rd Party) Failure to protect private or confidential information from unauthorized access Libel, slander, defamation Denial of access and/or service Loss or damage to Electronic Data of a customer Claims Example: “Electronic Statement Error”
onebeaconpro.com t f CYBER LIABILITY INSURANCE Coverages: Parts of a Cyber Liability Policy Intellectual Property (3 rd Party) Protects the bank from litigation/loss involving infringement of copyright, trademark, trade name, etc. Claims Example : “Interest rate Error”
onebeaconpro.com t f CYBER LIABILITY INSURANCE Coverages: Parts of a Cyber Liability Policy Breach Event Expense (1 st Party Coverage) -Reimburses the bank for certain costs incurred due to the unauthorized access to, or acquisition of, customer information that is in the care, custody, or control of the bank. Costs of Notification to the customers. Costs to change account numbers/reissue cards Provides credit monitoring services to impacted customers Claim Example: “Debit Card Error – Bank responsible”
onebeaconpro.com t f WIRE TRANSFER ROOM Some Employee “Best Practices”. Train, re-train employees on policies and procedures. Violations of policy should become a terminable offense. Allow wire employees the ability to reasonably “upset” a customer because of the need to follow policies and procedures to the letter. Test wire room by having members of Sr. Management or members of the Board of Directors call to attempt to make transfers in excess of the policies and procedures (a new approach by fraudsters).
onebeaconpro.com t f CORPORATE ACCOUNT TAKEOVERS Corporate Account Takeovers are the fastest growing “criminal actions” being reported to bank insurers. Issues: Customer service is in direct conflict with proper internal controls Social engineering scams are much more successful in smaller companies Customer’s internal controls are significantly less sophisticated than the banks. Claims Example:
onebeaconpro.com t f CORPORATE ACCOUNT TAKEOVERS Some Customer “Best Practices”: Have the proper written agreement with the customer that includes “Hold Harmless” wording and specifically spells out who/what/where/when and how. Require customers who have higher frequency or dollar amount transactions to have a stand alone computer. No browsing No No USB capabilities Require customers who have higher frequency or dollar amount transactions to have computer crime insurance - ask for a certificate of insurance
onebeaconpro.com t f Questions?