The Spofford Group Insurance Brokerage Ltd. was honored to be asked to share their expertise in insuring against cybercrimes by The Federal Reserve Bank of Boston. Rob Spofford and representatives of The Spofford Group during the November 14, 2018 gathering of chief information officers and others in similar positions at the Federal Reserve Bank of Boston. The presentation they shared with them of the “Cyber Liability Insurance Overview” can be downloaded by clicking below.
Interview the Expert
An Interview with W. Jackson Schultz
Lynne McCauley, Managing Director for The Spofford Group, recently sat down with W. Jackson Schultz, senior auditor with OCD Tech, to talk about the importance of cyber policies and compliance, some of the challenges smaller, community banks are facing when it comes to regulatory IT compliance, and the role of cyber liability insurance for banks and financial institutions.
Key Take Away
“If there were an area that I’d say needs enhancement though, it would be security awareness training. Creating a security aware internal culture is key to social engineering prevention. In my opinion, the human employee, or carbon-based vulnerability as I like to call them, is the largest ‘weakness’ within these institutions”
Q: What are regulators looking for in assessing bank IT risks?
Schultz: Currently, it seems that the regulators are as interested in cybersecurity as they are in vendor management. The focus seems to be entirely on the FFIEC cybersecurity assessment tool (CAT) and the way that vendors are risk-rated and tracked. The regulators are also interested to see if vendor due diligence materials are currently being maintained and reviewed. Finally, regarding vendor management, the examiners want to see alignment between vendor response times, in the case of a disruption, to the financial institution’s business continuity plan. This can be found in Appendix J of the Business Continuity Planning Booklet of the FFIEC IT Handbook.
Q: Where are you finding most banks have weaknesses?
Schultz: ‘Weaknesses’ is a bit of an unfair word for community financial institutions. Sure, these institutions don’t have as large of a budget as a multinational bank, but for their size and the amount of data they process, with the exception of a few outliers, they implement strong internal controls and work with knowledgeable vendors when they do not have internal expertise. If there were an area that I’d say needs enhancement though, it would be security awareness training. Creating a security aware internal culture is key to social engineering prevention. In my opinion, the human employee, or carbon-based vulnerability as I like to call them, is the largest ‘weakness’ within these institutions. As long as people continue to click on malicious links, these financial institutions will continue to be vulnerable.
Q: What are the challenges for the banks in staying abreast of current cyber threats?
Schultz: The challenge is really related to a few things. It’s definitely difficult for smaller-scale financial institutions to afford the talent that the big banks can, and that will put them a bit behind. With that being said, the information overload that they are expected to digest, a lot of times, can be incredibly overwhelming. Organizations like the financial services information sharing and analysis center, or FS-ISAC, are much needed in this industry. Sometimes, however, the information that is sent through their challenges is not comprehensible by the smaller institutions who have nontechnical staff. Finally, rigorous compliance requirements take a hefty toll on an institution’s budget, leaving them short on funds to invest in important areas related to cybersecurity.
Q: What is the role of an IT Security vendor in helping banks maintain IT security?
Schultz: At OCD Tech, the IT Audit & Security Division of O’Connor & Drew, P.C., our role is to ensure that financial institutions meet compliance requirements, while also discovering vulnerabilities and advising them on ways to enhance their security posture against an evolving threat landscape. We do this by performing an IT general controls review, a vulnerability assessment, a penetration test, and social engineering testing. Particularly for the institutions without staff who are incredibly knowledgeable about information security, this is valuable, because they don’t have time to monitor and stay up-to-date on emerging threats. We on the other hand, dedicate ourselves to staying one step ahead of the bad guys and working with our customer base to remain secure.
Q: We find most banks are purchasing cyber liability insurance but don’t always know what they are purchasing. What have been your findings with respects to cyber insurance?
Schultz: I couldn’t agree more. The cyber liability and insurance landscape is brand new, and is constantly changing. There are many different kinds of policies, and the type of coverage can vary from provider to provider. If it were me, I’d want an expert to evaluate my policy so that I know exactly what I’m getting, and precisely what’s covered.
When Hedge, Private Equity and Venture Capital funds wind down, fund managers and boards are often concerned about liabilities that may not arise until after the fund is closed. Wind downs are not always ideal situations and prior litigation with portfolio companies or issues with liquidity for hedge funds can lead to increased concerns about potential litigation. Additionally, fund directors and fund managers may have conflicting interests. If the funds have professional liability coverage, they can negotiate and purchase the appropriate runoff coverage to get the protection for the statute of limitations. If they don’t have professional liability insurance in place, it is not too late to purchase runoff coverage (also referred to as runoff coverage and tail coverage).
Wind down/Runoff coverage can offer the following benefits:
- Affords the managers and directors protection should claims arise after the fund closes for wrongful acts related to managing the fund and the dissolution.
- Coverage runs to the statute of limitations.
- Investors know they will not be the first line of defense should claims arise after the fact.
- Allows the fund to reduce the escrow.
- The policies can be specially written (manuscript) to provide coverage for claims made prior to, during and after the fund closes.
Examples of Runoff Coverage utilized for Hedge, Private Equity, or Venture Capital Firms:
Private Equity funds had an opportunity to sell one remaining portfolio company and close the fund. The portfolio company management, while onboard for the sale, had previously sued the PE Firm, so Private Equity management was concerned about possible future litigation. No professional liability coverage had previously been purchased. The purchase of the Runoff coverage allowed the Private Equity firm to reduce the escrow and distribute funds to investors while protecting themselves with indemnification for further litigation. Investors were not the first line of defense should litigation arise. Limits: $5M
- Hedge Fund portfolio manager was winding down a fund. We were asked to step in and assist the hedge fund because they were concerned their current broker lacked the expertise to negotiate broad terms and conditions. The coverage allowed the fund manager to distribute more of fund assets to investors and have the peace of mind that indemnification would be readily available for any future litigation. Limits: $10M.
What is the cost of Runoff Insurance coverage for Hedge, Private Equity, or Venture Capital Funds?
The cost of the coverage varies. If professional liability coverage is in place the cost tends to be 1.5 to 2.5 times the annual premium for 6 to 7 years. If professional liability coverage has not been purchased the cost tends to be higher. The cost of runoff coverage when the fund is distressed also tends to be higher.
For additional information or if you have questions, please contact us here.
What Does A Chief Risk Officer Do?
The Chief Risk Officer (CRO) is the executive responsible for determining and mitigating significant competitive, regulatory and technological threats to a business’ base and income. In a society where cyber threats, competition between companies and new compliance requirements are growing on an exponential basis, this is a challenging position to say the least.
Strict standards for those in the compliance and archiving department
Due to the Sarbanes-Oxley Act of 2002, there are also strict standards set for all in the compliance department as well as in the archiving department. The United States Congress passed this legislation to protect shareholders and consumers from fraudulent acts and accounting errors of public companies as well as to improve the accuracy of corporate disclosures. The United States Securities and Exchange Commission (SEC) administers the Act which sets deadlines for compliance and implementation of their guidelines. The Act specifies which records need to be kept and for how long. This can create a bit of an IT headache while trying to maintain compliance with the growing use of encryption. Encryption protects the clients, but can also make it too difficult for the auditors to do their job. Maintaining readability of the records and protection for clients at the same time is a requirement of the SEC.
What role does the CRO play?
Not only must the CRO be aware of everything occurring in their company on a daily basis, but they must also be current on all of the requirements from the SEC due to legislation being approved by the Dodd-Frank Act. The Dodd-Frank Act, which became legislation in July of 2010, aims to prevent another significant financial crisis by creating new financial regulatory processes that enforce transparency and accountability while implementing rules for consumer protection. This act created more stringent requirements for banks and the breakdown of companies if they are deemed “too big to fail.” The SEC has adopted 65 of the provisions that the Dodd-Frank Act has put forth and is discussing others to determine if they should be put into force.
The Dodd-Frank Act
One of the provisions of the Dodd-Frank Act created the Financial Stability Oversight Council (FSOC) to address persistent issues affecting the financial industry and prevent another recession. Banks are now required to have “funeral plans” for swift and orderly shutdown in the event that the company goes under. By keeping the banking system under a closer watch, the Act seeks to eliminate the need for future taxpayer-funded bailouts.
For more information about the CRO’s role, please refer to our White Paper, 2016 Risk Practices Survey.
Our new website is finally up. We’ve worked hard to get a beautiful new site ready, and we’re proud to show it off. Thanks for reading our blog. We have lots of great blog posts in the works. Please check back or contact us now to find out how we can help you.