financial-psi

Multifactor Authentication will Help Ensure your Bank is Not the Next Cyber Crime Statistic

Tue, 28 Jun 2022 17:10:24 GMT

What is multi-factor authentication? Simply stated multi-factor authentication is the use of two or more authentication factors in order to verify a user’s identity prior to gaining access to your system.

Cyber crime, especially ransomware attacks are increasing at an alarming rate. Ransomware is a form of malware designed to encrypt files on a device making any file and the systems that rely on them unusable. Cyber criminals then demand ransom in exchange for decryption. Ransomware attacks can significantly impact your banks processes and leave the bank without the data needed to operate and deliver services to your customers. Not only do you have the financial risk mentioned above but also the reputation risk that your bank would have if your customers don’t feel that your systems are secure.

Due to the rise of these attacks most cyber insurers are starting to limit coverage and the underwriters and regulators are taking a fine-toothed comb look into your cybersecurity practices. At renewal, almost all and soon to be all of our carriers are asking for insureds to increase protections, most notable MFA (multi-factor authentication). Most of these insurers have added a very detailed ransomware supplemental application and are issuing non-renewal notices to all those that do not properly answer the questions on these applications. It is estimated that by properly implementing MFA that 99.9% of account compromise attacks can be blocked. Also 94% of ransomware victims investigated did not use MFA.

What is MFA? Simply stated multi-factor authentication is the use of two or more authentication factors in order to verify a user’s identity prior to gaining access to your system. It can be a password, a text sent to a mobile phone or something like biometric identification like a fingerprint. These layers of security make it more difficult for the cyber criminals to access a bank’s system.

Since we all have many passwords for all of our various systems, many times this is the weakest link in a bank’s cyber security. Most of us get lazy with our passwords and this makes them easier to be compromised. According to the 2017 Verizon Data Breach Report, “weak or stolen passwords were responsible for 80% of the hacking related breaches.”3

There are three access points that definitely need to be protected by MFA. First, MFA is a must for remote network access. This security control will reduce the potential for a network compromise caused by lost or stolen passwords. If this is not in place a criminal can gain access to a banks network and look like an authorized user. Second, a bank must use MFA for both remote and internal administrative access. This helps prevent criminals that have compromised an internal system from obtaining privileges and obtaining broader access to the network. If the criminal gains this type of access, they can deploy ransomware across the network and can even turn off anti-malware protection. The third access point to protect with MFA is remote access to email. This will help reduce a criminal’s ability to gain access to a user’s corporate email account and use it to gain access through non-corporate devices.

Below are some of the questions that must be answered yes in order to renew most cyber policies:

Is multi-factor authentication required for all employees when accessing email through a website or cloud-based service?
Is MFA required for all remote access to the network provided to employees, contractors and third-party service providers?
In addition to remote access, is MFA required for the following, including such access to third-party service providers?

As you can see, MFA is a really important tool for your bank to help prevent ransomware and other cyber crimes. Also, your cyber insurance renewal may depend on your implementation of MFA!

Learn about How the Gramm-Leach-Bliley Act Affects Your Bank

Tue, 28 Jun 2022 15:31:06 GMT

Protecting the privacy of consumer information held by financial institutions is at the heart of the financial privacy provisions of the GLB Act.

The Gramm-Leach-Bliley Act (GLB), also known as the Financial Modernization Act of 1999, was enacted to control the ways that financial institutions deal with their customers’ nonpublic personal information (NPI). Under the GLB Act, financial institutions are required to:

Ensure customers’ NPI is properly protected (Financial Privacy Rule)
Develop a written information security plan that describes their program to protect customer information (Safeguards Rule)
Protect customers from individuals and companies that collect their NPI under false pretenses (Pretexting Rule)

The Financial Privacy Rule

Protecting the privacy of consumer information held by financial institutions is at the heart of the financial privacy provisions of the GLB Act. The GLB Act requires companies to give consumers privacy notices that explain the institutions’ information-sharing practices. In turn, consumers have the right to limit some—but not all—sharing of their information.

The GLB Act defines financial institutions as companies that offer financial products or services to individuals, like loans, insurance, or financial or investment advice. The Federal Trade Commission (FTC) has authority to enforce the law with respect to financial institutions that are not covered by the federal banking agencies, the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission and state insurance authorities. Among the institutions that fall under FTC jurisdiction for purposes of the GLB Act are non-bank mortgage lenders, loan brokers, some financial or investment advisors, tax preparers, providers of real estate settlement services and debt collectors. At the same time, the FTC’s regulation applies only to companies that are “significantly engaged” in such financial activities.

The law requires that financial institutions protect information collected about individuals; it does not apply to information collected in business or commercial activities.

A company’s obligations under the GLB Act depend on whether the company has consumers or customers who obtain its services. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution for personal, family or household reasons. A customer is a consumer with a continuing relationship with a financial institution. Generally, if the relationship between the financial institution and the individual is significant and/or long-term, the individual is a customer of the institution. This is important because only customers are entitled to automatically receive a financial institution’s annual privacy notice.

The annual privacy notice must be a clear statement of the company’s privacy practices. It should explain how the company collects NPI, who the NPI is shared with and how the company protects that data. Consumers and customers have the right to opt out of, or say no to, having their information shared with certain third parties. The privacy notice must explain how they can do that, and offer a reasonable way.

In 2015, Congress amended the GLB Act as part of the Fixing America’s Surface Transportation Act (FAST). The amendment allows exemptions to the annual privacy notice for financial institutions that meet certain conditions. Those conditions include the institution limiting the sharing of customer information so that the customer does not have the right to opt out and not changing the privacy notice from the one previously delivered to the customer.

The Safeguards Rule

The Safeguards Rule requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the Safeguards Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.

The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the company’s size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles. As part of its plan, each company must:

Designate one or more employees to coordinate its information security program;
Identify and assess the risks to customer information and evaluate the effectiveness of the current safeguards;
Design and implement a safeguards program, and regularly monitor and test it;
Select service providers that can maintain appropriate safeguards; and
Evaluate and adjust the program when necessary.

Pretexting Rule

The Pretexting Rule was put in place to stop individuals or companies from gathering and selling NPI under false pretenses. Pretexters sell a person’s information to people who may use it to get credit in the victim’s name, steal the victim’s assets, or investigate or sue the victim. Pretexting is illegal.

Under the GLB Act’s Pretexting Rule, it is illegal for anyone to:

Use false, fictitious or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution;
Use forged, counterfeit, lost or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution; and
Ask another person to get someone else’s customer information using false, fictitious or fraudulent statements.

Violations of the Pretexting Rule can result in civil penalties up to $11,000 for each violation, as well as criminal penalties.

Protecting Against Security Breaches

Tue, 28 Jun 2022 15:23:02 GMT

In order to properly prepare for breaches in security, banks must tighten their data security controls and plan methods of customer notification.

Banks are top targets for security breaches. While the media often reminds us of high- profile network leaks, banks of all sizes are at risk. Because the unintentional release of sensitive customer information is a larger risk than ever, it is essential that you be prepared to react efficiently and effectively in the event of a breach.

In order to prepare for breaches in security, banks must tighten their data security controls and plan for a potentially significant financial blow should these controls be insufficient. With continual threats of viruses, hackers and unauthorized use of sensitive information, your institution must respond by preventing, detecting and responding to cyber-attacks through a well-orchestrated cyber security program.

The Safeguards Rule

The Federal Trade Commission (FTC) issued the Gramm-Leach-Bliley (GLB) Act, which requires financial institutions to ensure the security and confidentiality of sensitive personal information. The Safeguards Rule, which requires all financial institutions under FTC jurisdiction to take steps to keep customer information secure, was issued with the GLB Act. The measures enacted depend on the size and complexity of the company, the nature and scope of its activities and the sensitivity of the customer information it possesses. The FTC requires each plan to include the following components:

A designated coordinator of the information security program
An assessment of risks to customer information in each relevant area of the company’s operation and an evaluation of the current safeguards for controlling these risks
A program in place to prevent security breaches
Service providers that, by contract, maintain appropriate safeguards
Regular adjustments to the information security program in light of relevant circumstances, changes in the company’s operations or results of security monitoring

Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their function, the data stored and processed and importance to the facility.

Employee Training

Employees using data are the first line of defense against security breaches. Thorough training is a keystone of any information security program. Follow these guidelines to promote employee cooperation:

Conduct background checks before hire.
Ask employees to review and sign your company’s confidentiality and security policy.
Limit access to information to those employees that require it for job duties.
Train employees to store materials such as laptops or mobile devices in secure places.
Train employees to encrypt information, lock rooms and file cabinets, and report all attempts to obtain customer information.
Remind employees of the legal requirement to keep information secure and confidential, and impose disciplinary policies for violators.
Immediately deactivate passwords for employees who are terminated.

Network and Information Systems

Design your information systems so that they are as protected as possible from security breaches:

Take precautionary measures when selecting an internet service provider (ISP).
Use appropriate audit procedures to detect improper disclosure or theft of customer information immediately.
Dispose of customer information in a secure way, shredding papers and erasing data on electronic hardware such as computers or hard drives.
Maintain inventory of your company’s computers and other mobile devices.

In the Event of a Breach

A swift, appropriate response is important if your company experiences a security breach. Follow these steps to minimize damage:

Preserve and review files or programs that might reveal the extent of the breach.
Secure any information that may have been compromised.
Notify consumers, law enforcement and businesses if the breach poses the risk of identity theft, criminal activity or other related harm. State laws regarding notification vary.

Transferring the Risk

Cyber security is a serious concern for all financial institutions. The cost of a security breach can be considerable, and may include the following:

Credit monitoring services for affected customers
Creation of new account numbers and re-establishing secure account numbers
Issuing new credit or debit cards
Hiring a crisis management or public relations firm
Class-action lawsuits
Irreversible damage to the corporate brand

Be sure you are taking steps to prevent security breaches and creating a plan in case one does occur. Contact Financial Products and Services, Inc. to learn about our risk management resources and insurance solutions, such as Internet and media liability, security and privacy liability, and identity theft insurance.

Protect Your Institution from Employee Theft

Wed, 16 Feb 2022 21:22:19 GMT

In a financial institution, employee theft is always a concern and that risk is amplified by the current state of the economy.

In a financial institution, employee theft is always a concern and that risk is amplified by the current state of the economy. Normally honest employees may resort to theft if they are facing tremendous financial burdens at home. Employees may also be motivated to steal if they were given extra responsibilities after others were terminated without an increase in compensation. It is important that you recognize this risk so that you can take action to prevent it.

Of course, with employees handling financial transactions, there is always a concern for embezzlement. However, a growing problem among financial institutions is employees taking advantage of their access to sensitive customer information. While the ideal solution would be to limit access to that information to as few employees as possible, this is often impractical while also striving to deliver the best customer service possible. In addition, employees with access to the internet may use company time to handle personal business or surf the web, which is known as time theft.

Tips to Prevent Theft

To curb theft at your organization, consider the following safeguards:

Communicate with your employees about the economy and how it will affect your organization. Be open and honest, but discourage them from panicking.
Try to maintain a positive work environment even during tough times. Encourage open communication, listen to employees’ ideas and recognize employee achievement.
Educate your employees about what is considered fraud and the consequences associated with it, and emphasize that the company has a no-tolerance policy.
Conduct more internal audits, both of your overall financials and of individual employees’ daily transactions.
Increase company oversight by upper management and owners.
Consider using a payroll service to ensure accuracy.
Purchase Embezzlement Insurance.
Consider installing surveillance equipment. Be mindful that this may decrease employee morale if they feel that they are not trusted. You may also want to monitor computer activity more closely, including who has access to sensitive information and whether that access is necessary for their job.
Upper management may consider taking a pay decrease or not receiving bonuses, so that lower-level employees see that everyone in the organization is affected by the economy.
Try to split up financial responsibilities among different employees when possible. One person should not have too much control. You may also try rotating duties regularly and conducting frequent double checks on the books.
Encourage employees to use their vacation time. If someone is stealing, it may become more evident once they are away for a few days.
Establish a fraud hotline for employees to report suspicious or fraudulent behavior. Give them the option to call anonymously.
Conduct thorough background checks on all your new hires.
Train managers and supervisors to monitor employees and watch for suspicious behavior. Any suspicious behavior should be reported and further investigated.

To learn more about Embezzlement Insurance, contact Financial Products and Services, Inc. at 615-244-5100 today.

Guidelines for Pre-Employment Background Checks

Fri, 04 Feb 2022 21:19:35 GMT

Background screening of prospective employees is an effective risk management tool that can reduce employee turnover, deter theft and embezzlement and prevent litigation over hiring practices, especially in the financial industry.

Background screening of prospective employees is an effective risk management tool that can reduce employee turnover, deter theft and embezzlement and prevent litigation over hiring practices, especially in the financial industry where employees work with sensitive material on a daily basis. Although background checks do present some costs, the risk of hiring someone without having performed this screening could signify considerably heavier financial consequences; the cost of recruiting, hiring and training an unqualified employee only to then search for a replacement can represent a significant burden.

Advantages of Pre-screening

Many job applicants have a criminal record that would compromise their job placement, yet they do not disclose this information. Therefore, consider these advantages of pre-screening potential employees:

Discourages applicants from hiding a criminal background or falsifying their credentials.
Eliminates any uncertainties about applicants in the hiring process.
Encourages honesty while going through the hiring process.

The Federal Deposit Insurance Corporation (FDIC) issued a set of guidelines for those institutions it supervises on developing an effective pre-employment background screening process. The following are the key elements of these FDIC guidelines and associated considerations.

Extent of Background Checks

At a minimum, it is advisable to ensure that an applicant’s history does not include a criminal conviction or deferred prosecution for a specific crime, such as dishonesty, breach of trust or money laundering that would bar him or her from working in the industry in accordance with Section 19 of the Federal Deposit Insurance Act. Searches might include federal, state and county records.

Beyond the basic criminal background check, the FDIC suggests taking a risk-focused approach to determining additional levels of screening, which might include identity verification, education verification and professional license verification. The access level and sensitivity of the position will be key factors in determining whether or not additional screening is appropriate. It is advisable to maintain background checks on existing employees by continuing to perform them on a regular basis.

Sanctions Checks

The FDIC also recommends you check each federal banking agency’s listing of individuals who have been assessed civil money penalties or that have been banned from banking. Regulatory sources might include the New York Stock Exchange (NYSE), the Financial Crimes Enforcement Network (FinCEN), the Office of Foreign Asset Control (OFAC) or the FBI Most Wanted Terrorist List. This initial screening stops the process if certain criteria are not met during the searches.

Employment Applications

The background check will be more efficient, more valuable and less costly if the employment application contains certain elements, such as a statement that all information is accurate and that any untruthfulness or omissions are legal grounds for termination. A standardized format that consistently collects all necessary information will also speed the background screening process. Some other helpful elements include the following:

Any other names used
Reason for leaving past positions (“disagreement” or “mutual agreement” are red flags)
Specification that names of actual employers must be listed (staffing firms should be listed, not the firm hosting temporary workers)
Detailed contact information for references listed

A simple way to streamline the process is to implement an online application process that requires certain fields necessary for the screening to be completed. When a need for revision arises, the form can be easily modified across the entire organization. The application can be linked directly to providers’ systems that will extract all necessary information for the background screen.

Verify that all information on the application is accurate, and check credit reporting agencies for any anomalies.

Legal Duties

To simplify the task, you may find it helpful to outsource the process to a background screening service provider. For many screening tasks, such as criminal background checks, outside providers can be faster and more thorough. It is important that when selecting such a provider, you consider financial statements and health, the provider’s hiring and employment processes, identity theft safeguards and, of course, service offerings.

You have several obligations to the applicant under the Fair Credit Reporting Act (FCRA):

Any applicant on whom an institution performs a background screen must give his or her written authorization to conduct the report.
If you ultimately deny employment, you must provide notification through pre-adverse action and final adverse action notification letters.

For More Help

If you need more information about protecting yourself from liabilities associated with hiring and termination, contact Financial Products and Services, Inc.. Our insurance experts can keep you covered and give you peace of mind.

Keeping Customers Safe In a Remote Environment—Wire Fraud

Wed, 19 Jan 2022 21:18:27 GMT

These days more people are working remotely than ever before and many tasks previously done in person are happening online, including banking.

These days more people are working remotely than ever before and many tasks previously done in person are happening online, including banking. Unfortunately, fraudsters are aggressively taking advantage of potential vulnerabilities that arise from this increased online activity.

Businesses are acclimating to the current unusual circumstances by offering additional services virtually. For community banks, this means working with customers by email or online, allowing electronic signatures on important documents, among other virtual services, which opens up the door for an exposed environment. Should these cyber criminals gain access to Personally Identifiable Information (PII), they can easily pose as the bank “customer”, another financial institution, another party to the transaction, or even someone else within the bank looking to transfer funds.

While wire transfer fraud is certainly not a new source of loss for community banks, criminals have been exploiting the increase in electronic and remote banking. They are constantly finding different ways to perpetrate this type of fraud. Therefore, it’s extremely important to stay vigilant while customers and employees are remote.

Security Alert—Wire Transfer Fraud involving Real Estate Loan Proceeds

There has been a significant uptick in wire transfer fraud schemes involving real estate loan proceeds and wire transfer instructions purportedly from a title attorney/agent or someone else in the bank. The transfer requests and wire transfer instructions are coming in via phone, fax and email. Whenever requests and instructions are received via phone, fax or email—whether from a customer, another financial institution, a title attorney, a real estate agent, or even someone else in the bank—consider having employees follow the same out-of-band verification procedures that would be performed on any other wire request. Not just with the initial request and instructions, but also with any change in the request of instructions (i.e., when new receiving bank account information is received).

Perform a Wire Transfer Risk Management “Check-up”

This could start by reviewing the requestor’s account and confirm that the bank has a written agreement with the customer authorizing the bank to transfer funds on deposit in reliance on instructions received via phone, fax or email. Other considerations may include:

Is it unusual for this customer to request a wire transfer?
Has there been a recent transfer of funds into the account from a home equity line of credit? Fraudsters frequently target home equity lines of credit since customers are not as vigilant in checking the status of these accounts. Additionally, information on the existence of these accounts is publicly accessible.
Are the funds being transferred to a foreign account?
Does the customer seem to be in a great hurry to complete the transfer?
Is the request coming from a legitimate email address? Fraudsters often use email addresses that are very similar to a customer’s legitimate email address (i.e., using the number “1” in place of the lower case letter “l”). Review email addresses closely.
Has the phone number on file for this customer recently been changed?
Has the receiving bank account information, or any other material detail of the request, recently been changed?

Additional steps to help mitigate risk could include:

Updating customer files with alternate phone numbers so that callbacks can be made to multiple phone lines.
Using a multi-factor authentication method. Work with your customer in advance to record at least three different security questions and answers that only they would know the answer to. When performing a callback during a transfer request, ask the customer each question.
Establishing alternate electronic verification methods, such as PIN numbers or security tokens.
Executing a written agreement that details who is authorized to execute a transaction, which accounts are eligible for transfers, what security measures and verification steps are in place, which communication methods are used and who is liable (and for what) if fraud were to occur.
Elevating all out-of-the ordinary requests, and encouraging employees to view every wire transfer request with a healthy dose of skepticism.

While it is understandable that the bank would like to make the transfer process as easy as possible for its customers and others involved, it is important for the bank to recognize the risks and take the necessary steps—before and after receiving the request—to protect its customer’s money and its own money. Customers and others involved should understand that such measures are to their benefit, and they should appreciate the relatively minor inconveniences associated with verifying the legitimacy of the requests. With wire transfer fraud schemes becoming more frequent and complex, it is more important than ever for banks to protect themselves against this formidable risk.

Cyber Attacks—A Growing Business Interruption Threat

Fri, 17 Dec 2021 21:17:18 GMT

As businesses continue to rely on computers and digital storage of essential data, cyber attacks will continue to be a potential exposure.

When you think about what usually causes a business interruption, natural disasters such as fires, earthquakes and floods probably come to mind first. These events can physically damage your property and equipment, making your workspace unusable for a time.

The damages from Hurricane Katrina and Superstorm Sandy are great examples of how a natural disaster can put a halt to a business’s day-to-day operations. Many of those affected businesses remain closed to this day.

While natural disasters are still the main reason for an interruption, another cause is quickly moving up the ranks: cyber attacks. As businesses continue to rely on computers and digital storage of essential data, cyber attacks will continue to be a potential exposure. Read on to learn how a cyber attack could lead to a business interruption and what you can do to mitigate the risk.

How Cyber Attacks Cause Business Interruptions

Hackers, thieves and other unauthorized individuals have become adept at exploiting weaknesses in a business’s computer system, whether through traditional hacking methods or social engineering. There are several types of attacks that could completely cripple your ability to perform normal business activities, including:

Malicious code that renders your website unusable
Distributed denial of service (DDoS) attacks that make your website inaccessible to employees and customers alike
Viruses, worms or other code that deletes critical information on a business’s hard drives and other hardware

It is quite easy to see how any of these events might leave your company scrambling to do business. Unfortunately, many small businesses don’t have the manpower available to detect the problem and work on fixing it, which only increases the length of an interruption.

Third-party Interruptions

You can still be affected even if it isn’t your business that experiences a cyber attack. Imagine what would happen if one of your vendors suffered an attack, resulting in a complete shutdown of its warehouse or website.

Unfortunately, attacks on third parties are often out of your control. Such an event could have a profound effect on how much business you are able to do, and that would trickle down to your customers, who may rely on your products or services.

Ways to Prevent a Cyber Attack

A common saying in the cyber security world is, “It’s not if you’ll be a victim of a data breach, but when.” While 100% protection is impossible, you can help lower your chance of business interruption due to a cyber attack by following these tips:

Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments.
Make sure all firewalls and routers are secure and kept up to date.
Implement a cyber security policy that educates employees about the dangers of computer intrusions and how to prevent them. Financial Products and Services, Inc. can help you draft a cyber security policy specifically tailored to your company.
Download and install software updates for your operating systems and applications as they become available.
Implement a strict password policy and have employees change system passwords every 90 days.
Limit employee access to company data and information, and limit authority to install software.
Make sure you are covered by a cyber liability insurance policy.

How Cyber Liability Coverage Can Help

Most traditional commercial general liability (CGL) policies will not cover business interruption losses due to a cyber event. Luckily, cyber liability coverage can fill that void.

Should your business be unable to perform normal business operations, a cyber liability policy can help pay for expenses related to an interruption. The coverage pays for:

Lost income due to the event
Profits that would have been earned had the event not occurred
Operating expenses, such as utilities, that must be paid even though business temporarily ceased
Rented or leased equipment

Cyber liability coverage also helps protect your business from the following events:

Data breaches, including costs for customer notification, some legal costs and credit monitoring for those affected
Damages to third-party systems, if, for example, an infected email from your servers crashes the system of a customer or vendor
Data or code loss due to a natural disaster or malicious activity (physical losses are covered on a different type of policy)
Cyber extortion, including ransomware, which is malicious code installed into a computer on your network that prevents you from accessing it until a ransom is paid

Even though business interruptions due to cyber attacks are relatively uncommon, being unprepared for one could prohibit you from doing business as usual. Contact Financial Products and Services, Inc. today to find out how we can help you avoid a business interruption.

5 Cyber Risk Questions Every Board Should Ask

Sun, 12 Dec 2021 21:15:56 GMT

When a data breach or other cyber event occurs, the damages can be significant, often resulting in lawsuits, and serious financial losses.

When a data breach or other cyber event occurs, the damages can be significant, often resulting in lawsuits, and serious financial losses. What’s more, cyber exposures impact businesses of all kinds, regardless of their size, industry, or status as a private or public entity.

In order for organizations to truly protect themselves from cyber risks, corporate boards must play an active role. Not only does involvement from leadership improve cyber security, it can also reduce liability for board members. To help oversee their organization’s cyber risk management, boards should ask the following questions:

Does the organization have a comprehensive cyber security program? Does it include specific policies and procedures?

It is essential for companies to create comprehensive data privacy and cyber security programs. These programs help organizations build a framework for detecting threats, remain informed on emerging risks and establish a cyber response plan.

Corporate boards should ensure that cyber security programs align with industry standards. These programs should be audited on a regular basis to ensure effectiveness and internal compliance.

Does the organization have a breach response plan in place?

Even the most secure organizations can be impacted by a data breach. What’s more, it can often take days or even months for a company to notice its data has been compromised.

While cyber security programs help secure an organization’s digital assets, breach response plans provide clear steps for companies to follow when a cyber event occurs.

Breach response plans allow organizations to notify impacted customers and partners quickly and efficiently, limiting financial and reputational damage.

Board members should ensure that crisis management and breach response plans are documented. Specific actions noted in breach response plans should also be rehearsed through simulations and team interactions to evaluate effectiveness.

In addition, response plans should clearly identify key individuals and their responsibilities. This ensures that there is no confusion in the event of a breach and your organization’s response plan runs as smoothly as possible.

Has the organization discussed and formalized a cyber risk budget? How engaged is the board in terms of providing guidance related to cyber exposures?

Both overpaying and underpaying for cyber security services can negatively affect an organization. Creating a budget based on informed decisions and research helps companies invest in the right tools.

Boards can help oversee investments and ensure that they are directed toward baseline security controls that address common threats. Boards, with guidance from the chief security officer or a similar cyber leader, should also prioritize funding. That way, an organization’s most vulnerable and important assets are protected.

Has management taken the appropriate steps to reduce cyber risks when working with third parties?

Working alongside third-party vendors is common for many businesses. However, whenever an organization entrusts its data to an outside source, there’s a chance that it could be compromised.

Boards can help ensure that vendors and other partners are aware of their organization’s cyber security expectations. Boards should work with the company’s management team to draw up a standard third-party agreement that identifies how the vendor will protect sensitive data, whether or not the vendor will subcontract any services and how it intends to inform the organization if data is compromised.

Has the organization conducted a thorough risk assessment? Has the organization purchased or considered purchasing cyber liability insurance?

Cyber liability insurance is specifically designed to address the risks that come with using modern technology—risks that other types of business liability coverage simply won’t cover.

The level of coverage your business needs is based on your individual operations and can vary depending on your range of exposure. As such, boards, alongside the company’s management team, need to conduct a cyber risk assessment and identify potential gaps. From there, organizations can work with their insurance broker to customize a policy that meets their specific needs.

How We Can Help

Asking thoughtful questions can help boards better understand the strategies management uses to prevent, detect and respond to data breaches. When it comes to cyber threats, organizations need to be diligent and thorough in their risk prevention tactics, and boards can help move the cyber conversation in the right direction.

Cyber exposures impact organizations from top to bottom, and all team members play a role in maintaining a secure environment. However, managing personnel and technology can be a challenge, particularly for organizations that don’t know where to start. Contact us today to learn more about cyber risk mitigation strategies you can implement today to secure your business.