The Missing Piece in Cybersecurity
If your credit union doesn’t have cyber insurance, you're setting yourself up for a costly mistake. More than 75% of credit unions go without an essential piece of protection regarding their security, according to CUNA Mutual Group.
No matter how big or small your organization is, it is a target for cybercrimes. Nearly one-third of all cyberattacks in 2013 targeted companies with fewer than 250 employees, according to the 2014 Internet Security Report from Symantec.
The average cost to U.S. financial organizations for each lost or stolen record containing sensitive and confidential information was $236, according to Ponemon’s “2014 Cost of a Data Breach” study.
Whether due to a vulnerability or to an employee losing a laptop or inadvertently clicking on a malicious link or attachment, at some point, no matter how many layers of protection you have around your network, your credit union is almost certain to be breached.
Cyber insurance can reimburse you for much of the costs, including business interruption protection, hiring staff or a vendor to clean up the breach, legal fees, public relations fees to protect your credit union’s reputation and notifying members that their private information may have been stolen.
If an attacker shuts down your network, your business could be down for a while. Not only must you think about how that would affect your members but also how it would affect your billing and payments regarding other organizations you do business with.
There are about five or six dozen cyber insurance carriers but only a few main players, says Bob Parisi, managing director at MARSH, one of the world’s largest commercial insurance brokers.
Policies offer different benefits to suit your needs and budget, so speak with a couple of brokers to guide you and see which one can offer the best plan for your credit union. Some carriers specialize in serving specific industries while others serve organizations based on size.
Parisi said underwriters take compliance and security policies and practices into consideration before insuring any organization. He added that underwriters typically want to talk with an organization to understand their security practices, but smaller companies may only need to complete a short-form application to apply. An underwriter will likely ask about previous audits and security events, and organizations should be able to share what they are doing about the vulnerabilities that have been discovered in their networks.
Jay Isaacson, vice president of commercial products at CUNA Mutual, said that having a Computer Security Incident Response Plan, table top plans, pen tests and other controls, such as being compliant with industry regulations, are all considered in the underwriting process and can help a credit union obtain coverage at the best possible rates.
Although cyber insurance has been around for more than a decade, Parisi said MARSH has seen aggressive growth in the past six months since the network breaches of major retail stores.
Last year, a series of cyberattacks repeatedly knocked major U.S. banking websites offline. The Izz ad-din Al Qassam Cyber Fighters claimed credit for the distributed denial-of-service attacks that took down websites of more than a dozen U.S. banks and credit unions for hours or days.
Although not highly publicized, smaller banks and credit unions are just as susceptible to attacks as larger ones. Attackers target smaller and mid-tier banking institutions before trying them on larger ones because the smaller ones are known for not having as tight security and because the smaller ones are a good testing ground before moving on to a larger one.