The risk of a data breach is equal to or greater than the risk of natural disasters, business interruption, fires and similar insurable risks, according to 76% of the employees involved in business risk management surveyed by the Ponemon Institute. The institute’s August 2013 research report also notes that 56% of the organizations surveyed had been victims of a data breach within the previous two years.*
Your credit union’s Bond policy and other insurance policies may cover certain types of losses associated with a data breach. But if you don’t have a policy specifically dedicated to the growing array of data breach risks, you need to review your overall exposure to these risks.
Basic Elements of Cyber Crime Insurance
Security Breach Liability: The most basic element of a cyber liability policy helps protect your credit union against liability for damages caused by a security breach. For example, your employee’s laptop containing members’ account data is stolen, or your network is hacked by a criminal who steals credit card information. A court may award damages to other financial institutions that sue your credit union for negligence, such as faulty data security. If your credit union is responsible for theft of credit card numbers and CVV codes, the card provider may sue for the expense of notifying your members, blocking and re-issuing cards, etc.
Programming errors and omissions liability: If members sue your credit union for an error that publicly discloses their private financial information.
Public relations expense: For professional P.R. help in correcting misinformation and in mitigating damage to your credit union’s reputation among your members and the community at large.
Security breach expense: Such as hiring a forensic auditor to determine the extent of the breach, notifying affected members, handling members’ enquiries, etc.
Website publishing liability: Especially important for credit unions that host social networking programs such as Facebook on their website. Defamation of competitors is a typical risk, if users post negative comments about other financial institutions.
A variety of coverages beyond these basics are available to protect your credit union from the potentially catastrophic losses caused by data breaches.
Network Security Tactics
Insurance is critical, but perhaps your best protection is an annual thorough review of your network security. Consider these prevention tactics:
Protect data in storage and during processing. Encrypt confidential member data (PII- personally identifiable information):
Residing anywhere on your network.
Residing in mobile devices, laptops, external storage media such as backup drives, etc.
Transmitted over the internet.
Establish a policy for acceptable use of internet/email.
Reduces the risk of infecting workstation computers/credit union network with malware, viruses, etc.
Educate employees to reduce errors.
Instruct employees how to dispose of anything containing PII, such as old tape drives, disk drives, etc. Include proper disposal for paper records containing confidential member data.
Establish and continually update IT controls, including:
Intrusion detection system
The ability to protect members’ PII paired with cyber liability insurance, will help minimize potential threats to financial, legal (compliance) and reputation risk in the event of a data breach. Ken Otsuka is a senior risk management consultant for CUNA Mutual Group.