Top five reasons to buy cyber

Top five reasons to buy cyberMaking the case for cyber insurance, a relatively new type of cover, can be tough for brokers even if it’s clear that nearly all companies would benefit from it. So to help brokers make the argument for cyber insurance more easily, we’ve put together the top five reasons to buy cyber.

5. Cybercrime is the fastest growing crime in the world, but standard property or crime insurance policies can be restrictive in the cover they offer.
The widespread use of technology and the internet now means that your business is exposed to the world’s criminals and is vulnerable to attack at any time of the day or night. For example, social engineering scams are becoming a pandemic in the business world, leading to significant losses for companies of all types. Cyber insurance is at the forefront of protecting against this new wave of crime, providing cover for a wide range of electronic perils, from wire transfer fraud to ransomware.

4. Technology systems are critical to operating your day-to-day business but their downtime is not covered by standard business interruption insurance.
Almost all businesses rely on computer systems and other technology to conduct their core business, from electronic point of sales software to back office work flow management systems. In the event that these systems are brought down, a traditional business interruption policy would likely not respond. Cyber insurance can provide cover for loss of income and extra expense associated with a cyber event.

3. Data is one of your most important assets yet it is not covered by standard property policies.
Most businesses would agree that data or information is one of their most important assets and worth many times more than the physical equipment that it is stored upon. Yet most business owners do not realize that a standard property policy would not respond in the event that this data is damaged or destroyed. A cyber policy can provide comprehensive cover for data restoration and even re-creation in the event of a loss.

2. Complying with breach notification laws costs time and money.
Breach notification laws are now commonplace across many territories, and among other things, generally require businesses that lose sensitive personal data to provide written notification to those individuals that were potentially affected or risk hefty fines and penalties. Australia’s Notifiable Data Breaches Act, Canada’s Digital Privacy Act, Europe’s General Data Protection Regulation, and several US state laws make it a legal obligation to notify, and there is also a growing trend towards voluntary notification in order to protect your brand and reputation. Cyber policies can provide cover for the costs associated with providing a breach notice even if it’s not legally required, and can also cover the associated regulatory fines and penalties.

1. A good cyber policy provides access to a wide range of incident response services.
Responding to a cyber incident requires a range of specialists – from IT forensics firms to specialist PR agencies – that help deal with both the immediate aftermath as well as the longer term consequences of a cyber event. Small and medium sized businesses, in particular, are facing an uphill battle; not only are they increasingly being targeted by cybercriminals but they are also unlikely to have the range of required incident response specialists in-house. The good news is that cyber insurance can provide easy access to these services, helping companies more easily negotiate the changing face of crime.

Beware the data breach bear trap

Beware the Data Breach Bear Trap!Over the course of 2018, we have seen numerous pieces of data breach legislation come into force. Back in February, the Australian government enacted the Notifiable Data Breaches Act. In May, we saw the introduction of the EU’s General Data Protection Regulation (GDPR). In June, Alabama’s Data Breach Notification Act of 2018 came into force, meaning that all 50 states in the US now have data breach notification laws in place. And November will see the Canadian government bring in notification and record-keeping requirements as part of the Digital Privacy Act.

With all of these laws coming in to force, it’s understandable that brokers have given a lot of attention to their clients’ data breach and privacy exposures. However, while all this legislation is undoubtedly important in its own right, brokers and their clients shouldn’t see cyber insurance exclusively through this lens.

There are a couple of reasons for this. For a start, many businesses do not collect or deal with consumer data, so the argument that this legislation affects them and that they should buy cyber insurance to mitigate this risk is not one that will resonate. It’s important to stress that cyber insurance is not just about covering the losses associated with a data breach. It’s much broader than that and provides cover for a whole host of cyber related risks, ranging from theft of funds and cyber extortion to system damage and business interruption. In fact, almost a third of CFC’s cyber claims are a result of the theft of funds, which is a significant risk for almost any business, regardless of how much data they hold.

Secondly, for those organisations that do collect or deal with consumer data and are purchasing cyber insurance as part of their risk management strategy, there is a danger of focusing on data breaches to the exclusion of everything else. Unfortunately, we’ve seen a number of organisations purchase their policy limits based on the estimated cost of a data breach to their business (going off the number of records that they hold), and this can leave them woefully underinsured when other, non-privacy related events occur. For example, we recently dealt with a claim where a hospital fell victim to a destructive malware attack on their systems and incurred $7.1 million in system damage and business interruption costs, but they had only purchased a $5 million limit because they had primarily focused on the impact of a data breach on their business. You can read more about this case here.

The key message, then, is that brokers should look at the whole range of cyber risks that their clients may face when they are considering or purchasing cyber insurance, rather than focusing narrowly on data breaches.

The risky business behind live events

By Denny Jacob for Property Casualty 360

In the U.S., the world’s largest market for live events, revenue from events of all types are expected to show an annual growth rate of 8.8%, resulting in a market volume of $16.7 billion in 2022, according to a report from Take1 Insurance.

When it comes to live events like concerts or sporting events, many consumers till prefer to actually ‘be there’ in the moment. Even as technology advances — particularly with virtual reality (VR) — attendees tend to prefer live experiences for the sense of community and a level of authenticity that VR is unlikely to offer.

Recent incidents in 2017, however, have displayed the nefarious side to such events. From the Fyre Festival — which cost investors $26 million in losses — to the Route 91 Harvest Festival — projected to cost insurers more than $1 billion — live events are one disaster away from economic ruin.

“I think this could be a seminal moment in the insurance world,” says Scott T. Carroll, program director for Take1 Insurance’s entertainment division.

Live events have plenty of exposures

There are three main exposures in the world of live events, according to Matt Helm, contingency practice leader at CFC Underwriting: cancellation, liability and property.

Cancellation is effectively an instance of business interruption and is treated fairly similarly. They can occur due to adverse weather, performers not arriving and the threat or act of terrorism.

“If there is a threat of terrorism, the first call of action might be to add more security or run an area sweep — with cancellation as a last resort,” says Helm. “The terrorism (act or threat) also might not necessarily be at the event venue, but in the surrounding area and therefore impact whether an event can continue.”

Additionally, Helm says there is “a growing conversation around cyber exposure for live events,” but notes “the industry has yet to really see claims to this effect.”

Some examples of possible targets via cyber attack during live events could be:

  • Electronic wrist bands (with cash and personal details attached);
  • Computer systems going down (meaning tickets can’t be checked, or lighting and display systems not functioning properly); and
  • Transmission is disrupted (meaning performances or sporting events aren’t able to broadcast)

3 ways to mitigate risks

Live-event producers and the vendors and service providers that support them can follow a set of principles to mitigate and minimize the changing array of risks faced by that industry sector.

  1. Assess: Stay alert to the most dangerous challenges facing live-event products today. Compare what’s been taking place with your own situations. For instance, the report notes, a catastrophic fire in 2003 at a nightclub in West Warwick, R.I., uncovered a number of problem areas that other event producers could and did address, including the location, condition and markings of exits.
  2. Implement: A number of resources for live-event safety have emerged in the wake of various disasters. The Event Safety Alliance (ESA) has created guidelines event producers can follow to minimize risk. Its Event Safety Guide is the most widely used operational practices currently available in the live-event industry.
  3. Insure: Insurance is the single biggest factor in the aftermath of an adverse incident, thus it ought to be one of the first to be considered ahead of time. But coverage can become tricky, particularly with mass shootings. Companies and individuals who experienced business losses stemming from those events could look to the federal government’s Terrorism Risk Insurance Program Reauthorization Act (assuming they had opted for it in the first place) only if the incident was declared a terrorist act. And even if their losses met that condition, those losses would have to have exceeded a minimum of $5 million in aggregate loss.

Unseen costs

Most of the attention post-disaster has focused on monetary awards resulting from lawsuits and settlements. While unsurprising, they often don’t tell the whole story.

Event production vendors looking to protect themselves must focus on tools of the trade — sound systems, cameras and entire production trucks, among others — because they can be rendered unavailable for periods of time. Until they are either released by authorities or become available to be evaluated and declared total losses, service providers and vendors — as well as the venue themselves —experience a degradation of their ability to generate revenue and absorb the costs of these business interruptions.

The world of live events has changed — much for the better, but dangers still lurk. Risk management around live-event production also must change to ensure that attendees, vendors and venues themselves are safe and secure.

You can read the article on Property Casualty 360 here

Spot Market Purchase Causes Supply Chain Problems

Manufacturers often have a complicated production process involving multiple materials and components incorporated into a finished product. Further issues can arise where the manufacturer’s product is a small component, part of a far more complex product.

Product quality, supply issues, production breakdown and human errors can all cause complications in a supply chain. Not only will this result in delayed production internally, but it will also have a knock on effect with connected suppliers.

In this product recall case study, we explore how a steel casting manufacturer opted to use the spot market to fill a product shortage but suffered severe consequences as the supplier had not been vetted or verified.

The insured, a privately-owned steel casting manufacturer with a portfolio of standard castings and custom-made products, specialises in carbon steel flanges. This sector of its business has an annual revenue of USD 25,000,000 and makes up 40 percent of the overall company revenue. The flanges are used in consumer products such as automobiles, fridges and HVAC units. The manufacturer has been in operation for 30 years.

FAULTY PRODUCTS DISCOVERED
The insured was first notified of a problem by its customer, an automotive component manufacturer in Michigan. The component manufacturer had performed some pressure tests on the supplied steel flange and discovered that the steel snapped at very low temperatures (which mimic conditions in Northern Michigan during winter).

The insured had not retained any samples from that production lot and requested that the customer return any stock available so it could investigate the issue with the flange. Due to a logistical mistake, the customer initially sent back rods from a prior production lot, which added on a three-week delay to the investigation. When the correct steel was returned, the insured ran various physical tests which confirmed that it was far more brittle than expected.

Metallurgical analysis then revealed that the carbon composition of the steel was higher than intended, which was the cause of the increased brittleness. The steel casting manufacturer traced the raw material used in that production lot to determine how many days of operation are affected with the faulty produce. This also indicates where the faulty produce would have used been by other companies in the supply chain. The tracing exercise showed that the particular raw material in question was purchased on the spot market after the insured’s usual
supplier was not able to fulfil requests over a four day period. The insured very rarely uses spot markets, but on some occasions it is necessary and is quite common in the industry.

The complaint from the component manufacturer was the only issue raised directly to the insured, and was addressed by shipping replacement steel and a small payment to cover expenses – an overall cost of USD 35,000. However, because the carbon composition of the affected batches was in breach of what most customers considered an acceptable range agreed, the insured decided to notify all of the customers who may have purchased parts made with the substandard steel.

ESTIMATING THE LOSS
Rather than offer refunds for the faulty steel, which would have topped USD 450,000 and more than depleted the insured’s cash reserves, the insured instead offered to replace the steel. However, given the time delay between the sale and the defect notification, many of its customers had already incorporated the flange into their products and instead claimed for financial compensation from the insured citing the following unexpected costs:

  • Cost of disposed products due to incorporation of faulty flange
  • Costs of removing components which incorporated
    faulty flanges from in-progress and finished vehicles
  • Credits charged for future purchases
  • Loss of sales, as one customer lost a contract with a
    large car manufacturer due to this issue
  • Various administration costs

The amount claimed against the insured by its customers totalled USD 3,500,000, and the insured was legally liable for these costs according to their supply contract with the customers, as well as common law (i.e. the insured was negligent).

The insured did not have sufficient cash reserves to satisfy even a third of these claims, especially as they needed to purchase raw materials to continue operating and fulfilling other orders. Additionally, three new customers filed lawsuits and the insured’s in-house lawyer required the help of external counsel who charged USD 450 per hour and required a USD 20,000 retainer.

PRODUCT RECALL POLICY AND RECALL EVENT LIABILITY
As a result of the recall, the insured suffered a significant financial and reputational loss, and the viability of the business was under threat due to the impact on cash flow. Luckily, the insured’s product recall policy included an extension for recall event liability, which covered their legal costs for compensation and lawsuits, as well as any sums which they were legally obligated to pay. The purchase of the policy ensured the survival of the business and
safeguarded their cash flows, ensuring they could continue purchasing supplies and conducting business as usual.

The companies and circumstances in this case study are fictional, but the scenarios are realistic and reasonable based on our experience.

You can print and share the case study here.

Business interrupted: Part one

Business interruption series: Part 1Today, business interruption in cyber insurance policies is back in a big way. To explore this growing risk, we’re running a three-part blog series on the subject exploring the many ways in which BI cover is essential for modern businesses, and key things brokers and clients should look out for. Today’s post examines the value of longer indemnity periods.

When the first cyber insurance policies emerged in the late 1990s, aimed at the first breed of dotcom companies, system business interruption was one of the primary drivers of these products. These were companies that had a reliance upon technology that had yet to become commonplace in the rest of the business world. They transacted business super quickly; their day-to-day operations were models of digital efficiency; and they were completely at the mercy of their systems’ performance.

Unfortunately the dotcom boom soon turned to bust, and those first buyers of cyber insurance disappeared along with the products that they purchased. With the passage of the first breach notification laws in California, however, the cyber insurance market was reborn, but the main focus of these policies was no longer system business interruption but the cost of handling a data breach. Since then, the cyber landscape has been dominated by privacy risk and only recently has the issue of cybercrime come to rival it for attention in cyber wordings.

We’ve now come full circle and system business interruption is back at the forefront. At CFC, we’ve seen a consistent increase in the volume of system business interruption losses year-on-year for the past five years, and they’re becoming some of the most severe losses that we now pay. The problem is that, until very recently, this cover has been massively overlooked by the market. BI cover in cyber policies hasn’t matured in the same way that data breach covers have, and this has resulted in a lack of standardisation around BI in policy wordings, with a wide range of different approaches being adopted by insurers. This lack of uniformity can be confusing for both customers and brokers and it’s worthwhile looking at some of the common areas where problems can arise.

Take indemnity periods as a case in point. In a typical business interruption policy relating to property damage, the insured would be indemnified until they were back to the same financial position that they would have enjoyed had it not been for the loss.

To illustrate this point, let’s take a look at a topical example. You may have seen on the news that Primark, a multinational clothing and accessories retailer, recently suffered from a major fire at their store in central Belfast, Northern Ireland. Whilst they are unable to use this building, they will suffer from a reduction in sales. But even once they are able to use the building again, they won’t immediately start trading at the same level that they would have had the fire not taken place. After all, they will need to re-stock the premises, re-engage with their suppliers and re-attract customers who may have started shopping elsewhere. This is why their business interruption policy won’t stop paying out once the building has been rebuilt and is fit for use again. It will continue to pay until the business is operationally sound and has returned to the same financial position they would have been in had the fire not occurred (up to the maximum indemnity period).

To put this into a cyber context, business interruption cover should protect you not only for the period that your computer systems are down, but until your business has returned to the financial position that you would have enjoyed if the system outage hadn’t occurred. What defines the indemnity period is still a huge area of inconsistency amongst cyber polices, especially in those territories where the cyber insurance market is less mature.

Indemnity periods on cyber policies typically work in one of three ways:
1) The policy will reimburse the loss only for the time that systems are down and not actually functioning. As soon as the systems are up and running again as normal, the policy stops responding and no more money is payable to the insured.
2) The policy will reimburse the loss for the time that systems are down, as well as continuing to provide cover after the systems have been restored to their normal functionality for an arbitrary number of days.
3) The policy will reimburse all losses (including those incurred once systems are up and running again) that fall within the indemnity period, up until the point that the insured has returned to the same financial position that they would have enjoyed had the system outage not occurred.

Click icon to view larger graphic: Business interruption and indemnity periods

Depending on the type of policy an insured has purchased and the nature of their business activities, that could be a difference of hundreds of thousands, if not millions, of dollars that they may or may not have reimbursed, solely determined by the way in which the indemnity period operates. Typically, the third option shown above is the most beneficial for insureds.

At CFC, the most severe system business interruption claims that we’ve come across have seen the insured in question still losing revenue for a substantial period of time after their systems were back up and running. Therefore, making sure that an insured has an indemnity period that is long enough to deal with any business interruption losses that may occur after their computer systems have been restored is key.

To read our cyber claims case study on how a property management firm benefited from a longer indemnity period, click here.

Cyber claims case study: Software shutdown

Cyber claims case study: Software shutdownThis month’s cyber insurance claims case study tells the story of a property management company that fell victim to a ransomware attack, putting an end to their primary software system.

Fortunately, their CFC cyber insurance policy helped to cover the costs of implementing a new software system, including large-scale data re-entry, as well as the shortfall in income caused by customers cancelling their contracts as a result of the cyber event and the service performance issues that stemmed from it. Read the full case study here.

The key takeaway points are as follows:

  • Cyber insurance policies have historically offered relatively short indemnity periods under the business interruption section – usually 3-6 months as standard. However, it is becoming increasingly clear that the operational impact of a cyber event can be felt for much longer than a 3-6 month period would allow for.
  • In this instance, the full reputational impact of the cyber event was not felt until after the 3-6 month indemnity period that you would find on many cyber insurance policies. The policyholder had a 12-month indemnity period in place and this enabled them to pick up the majority of their business interruption loss under the policy. Had the insured only had a 3 month indemnity period, however, they would not have been covered at all, as all of the cancelled contracts fell outside of this period.
  • Businesses that receive their income on a contractual basis could be more exposed to BI losses, as the cancellation of monthly or annual contracts could very quickly result in sizeable financial losses being incurred. Businesses that receive their revenue in this way should consider factoring this in when selecting an appropriate limit for their policy.
  • Having legacy systems in place could also increase a business’s exposure to a cyber event. The fact that this insured used a superannuated software system meant that they were especially vulnerable, as it soon became clear that it was not possible to restore their software and resume their normal service. Other businesses might have had their server encrypted in just the same way, but if they were using modern software packages they would most likely have recovered much more quickly.

Read the full case study here.

Want to learn more about business interruption and indemnity periods? Read the first post in our BI blog series here.

CFC wins four at the Cyber Rankings Awards

CFC wins four at the Cyber Rankings AwardsLast week, CFC attended the second annual Insurance Insider Cyber Rankings Awards in London. Based off the results of the publication’s Cyber Rankings Survey, these awards recognise the achievements of the market’s rising stars, most skilled practitioners, and most highly regarded companies.

We’re proud to announce that CFC won in four of the five underwriting categories, including two individual awards. Cyber Underwriter Matthew Lewis won in the Rising Star Underwriter category, and Corporate Cyber Practice Leader Andrew Prendergast won in the Cyber Underwriter of the Year category. For anyone who has worked with either, you’ll know they are greatly deserved. We’re so proud to have them on our team!

CFC’s Incident Response App, which provides policyholders with easy access to our 24/7 global cyber incident response centre, also won in the Cyber Innovation of the Year (underwriting) category. The app allows users to report incidents, notify claims and request urgent assistance at any time of the day or night.

Last but not least, CFC was voted Cyber Underwriting Firm of the Year for the second year running.

Thank you to Insurance Insider – the survey facilitators and event hosts – and to everyone who voted for us! We’re incredibly honoured.

FUNDS TRANSFER FRAUD – OLD TRICKS, NEW TACTICS

Social engineeringSocial engineering involves the use of deception to manipulate individuals into carrying out a particular act, such as transferring money, handing over confidential information or clicking on a malicious link, and it’s causing serious financial harm to businesses all around the world. According to the FBI, between October 2013 and May 2018 alone, some $12.5 billion was lost worldwide due to funds being transferred following social engineering scams. Indeed, funds transfer fraud as a result of a social engineering scam is CFC’s primary source of cyber claims, making up 30% of claims by volume in 2017, and it shows no signs of abating.

FROM THE TROJAN HORSE TO FUNDS TRANSFER FRAUD

Social engineering is nothing new. In fact, it’s as old as human history. For example, consider the tale of the ancient Greeks cunningly tricking the Trojans into letting a wooden horse full of troops into their city. Or take the more recent, real world example of Victor Lustig, who in the 1920s pretended to be a French government minister and managed to successfully convince a number of scrap metal dealers that he was selling the Eiffel Tower.

But this age-old method of trickery is no longer confined to skilful con artists plying their trade in the real world. With the advent of the technological revolution over the past two decades, there has been a veritable explosion of social engineering scams in the digital sphere, and these can take a number of different forms.

One of the most common types of social engineering is CEO fraud. This is typically where a fraudster impersonates the CEO or another senior executive within an organisation and instructs a member of the finance department to make an urgent payment to a particular account for a specific reason (often in the guise of fulfilling an overdue payment to a supplier). More often than not, the senior executive in question will have had their email account compromised, but you don’t even need to be hacked in order for this kind of fraud to be carried out. Some fraudsters will go off publicly available information, finding out what the CEO’s email address is and amending it slightly before targeting a junior employee in the finance department who’s often inexperienced and eager to impress his or her seniors. Many fraudsters will monitor social media to see when the CEO or senior executive is away from the office to reduce the likelihood of having their scam uncovered.

Not all social engineering scams involve emails, though. At CFC, we recently dealt with a claim where a law firm had been contacted by what they thought was their bank and informed that there was suspicious activity on their account. They asked them to change their account details over the phone, thus allowing the fraudsters to gain access to the account and siphon off $89,000 to mule accounts.

Sometimes it’s not even the business in question that gets hit directly, but their customers. Phishing of customers involves fraudsters impersonating an organisation, contacting their customers or one customer in particular and requesting that payment be made for a specific reason. The scam usually works when the email account of either the business in question or one of their customers is compromised. Fraudsters then use the information contained within the email account to find out when a particular financial transaction is likely to occur and then impersonate the business in order to intercept the transaction. Even if it’s the customer’s email account that has been compromised, they will often pursue the business that has been impersonated for reimbursement, as it is their identity that has been used to carry out the fraudulent act.

Another method used by cybercriminals to carry out funds transfer fraud is through the electronic manipulation of documents. One claim that we handled at CFC involved a plastics manufacturer whose computer systems were hacked. This allowed the fraudsters to access the invoice payment templates that were sent out to their customers. The fraudsters changed the bank details on the form so that when they were issued to customers, the payment simply went to the fraudsters’ account rather than our insured’s. Some $140,000 was transferred to the fraudsters before the insured realised what had happened.

WAYS TO FIGHT THE FRAUD

Whilst you can never totally eliminate the risk of funds transfer fraud, the good news is that there are a number of ways for businesses to mitigate the risk, including the following:

Call back procedures – Call back procedures work by ensuring that whenever a new payee account is set up or a change of account is requested, the request is validated by having a member of the finance department call the person or company requesting the change on a pre-verified number to confirm that it is legitimate. Introducing such procedures is a simple but effective way of reducing the risk of funds transfer fraud. In fact, the vast majority of the funds transfer fraud claims that we see at CFC would not have occurred had robust call back procedures been in place and complied with.

Multi-factor authentication on email accounts – One of the primary factors influencing funds transfer fraud is the compromise of business email accounts. Multi-factor authentication can improve the security of web-based email accounts by requiring an additional verification step for any external connection to email, such as a code generated by a mobile app or through an SMS message. Most email systems provide multi-factor authentication and will allow users to establish “trusted devices” to reduce the inconvenience of entering a code every time they log in.

Training – Human error plays a crucial role in the vast majority of phishing scams, but raising awareness of funds transfer fraud and training employees to recognise such scams can go a long way to reducing the risk of financial harm. A number of educational tools are available that can help protect businesses from social engineering attacks, including those that allow businesses to send out fake phishing emails to test employees and better prepare them for a real life incident. Such tools are available to CFC cyber policyholders through the CFC cyber portal.

A VALUABLE SAFETY NET

Even with risk management measures such as these in place, however, businesses should be aware that fraudsters are always looking for new ways to scam people and their tactics are becoming increasingly sophisticated. It’s therefore impossible for any business to be completely impervious to these kind of attacks. This is why cyber insurance should be a part of any prudent organisation’s risk management programme, acting as a safety net should the worst happen.

Top Risks Facing Financial Institutions

Financial institutions have changed significantly over the last decade – from utilizing technology in new ways to stay competitive and drive efficiencies, to adapting business practices in light of the global financial crisis and recent narrow interest margin markets.

As these businesses evolve, they’re faced with a new range of exposures that can result in significant and lasting commercial costs, and traditional exposures come to light in a different context. Crime has also changed for these businesses, with a growing number of attacks against financial institutions taking place online and through digital means.

To better understand this changing landscape, we’ve outlined the top risks facing financial institutions today:

 

Social engineering and funds transfer fraud

Some of the most frequent cyber claims made by businesses in the past year involved funds transfer fraud and some form of social engineering. Funds transfer fraud is often carried about by criminals leveraging fraudulent emails or phone calls to request the transfer of funds from a legitimate account to their own. In some cases, fraudsters will pose as a senior executive appearing to give urgent instructions to a junior employee. While financial institutions have greater control processes, including separation of responsibilities, both banks and their clients are at risk of falling victim to these types of attacks, and as long as they continue to prove successful, we expect this threat to grow in both frequency and severity. Financial institutions should consider employee training on these newer forms of fraud, including how to identify phishing emails. Banks should also be concerned about their customers’ susceptibility to social engineering fraud, and should consider education campaigns where relevant.

 

Adherence to post-crisis regulation

Following the mortgage crisis in 2007-2008 and the subsequent global financial crisis, the regulatory burden for banks has increased significantly. This brings additional costs when meeting these new requirements, along with higher potential penalties if an institution fails to comply. In many instances, resultant fines and penalties following regulatory failures are uninsured or uninsurable. Financial institutions should seek cover where regulatory enquiry costs and expenses are covered.

 

Falling prey to predatory banking

Financial institutions have found themselves in a narrow interest margin environment, which means the pressure on banks to generate revenue from non-interest earnings is intense. In some cases, the desire to drive revenue through new or existing products has led to instances of selling inappropriate products to consumers, resulting in significant consumer claims. Institutions must ensure that their products are suitable and that they meet the needs of the consumer and the consumer’s expectations. It’s also important for institutions to ensure their remuneration policies do not inadvertently encourage the miss-selling of products. The fallout from consumer protection scandals can be costly not only from a legal and regulatory standpoint, but also in terms of damage to the brand.

 

Reputational damage

Predatory banking is only one type of behaviour that can bring reputational harm to financial institutions. Large institutions can suffer backlash for a variety of misdeeds made public, for instance the failure in anti-money laundering controls by Wells Fargo or HSBC, who were hammered in the media for their behavior. On a smaller scale, for regional and community-based institutions, the power of social media can mean that reputational damage spreads far faster than ever before.

 

Systemic instability

Nearly a decade later, the effects of the global financial crisis are still being felt by financial institutions around the world. Recent concerns over Deutsche Bank’s operational cut backs and stock price decline have shown there is still uncertainty around the performance of even the biggest financial organizations. Additionally, recent instability in Europe – particularly in Italy and Spain, as well as the still incomplete Brexit negotiation – could have effect elsewhere, including the US, where European headquartered institutions such as Deutsche Bank, Barclays and HSBC are systemically significant institutions.

 

Challenger banks and new technology

The traditional banking model is increasingly challenged by newcomers trying to use technology to replace existing processes and disrupt the status quo. In the UK and Europe, challenger banks are gaining steam and traction among younger generations and early adopters. In the US, there are few online-only challenger banks, but there is increasing competition from payment processors, online non-bank lenders and other providers who are edging their way towards areas conventionally controlled by banks. The risk for traditional institutions will not only be economic, but they will also need to provide more services to their clients to ensure they are competitive and relevant, and they may need to reassess their cyber exposure as they put more systems online.