With the recent data security breaches at J.P. Morgan Chase, Target and Home Depot, cybersecurity insurance to help protect in the event of a hack is a hot topic right now. At a recent panel during Pershing's Discover conference, privacy expert Michelle Wraight gave a guide on how firms should approach buying this additional coverage.
“We’re seeing wire transfer fraud at epidemic levels,” says Wraight, vice president and chief privacy officer at Pershing. And the typical corporate liability insurance most firms have in place will not cover the types of breaches occurring today throughout the financial industry
“You need to not only look at your risk and how big your firm is, but also what you’re trying to protect. The old adage is ‘You don’t want to spend $1,000 to protect a $100 asset,’” Wraight says, adding the good news is that premiums are coming down a bit in this space.
Yet even the insurance policies that are being offered are generally only for tangible costs. The total cost for a data breach is estimated at just over $200 a record, according to Wraight, but that doesn’t necessarily cover the reputational costs that firms end up paying out when breached.
Most wire transfer fraud starts with the investor. Fraudsters are using the forgotten password option offered by most email providers to hack into consumers’ accounts. Using social media sites like Facebook and LinkedIn, they are able to find the answers to challenge questions like ‘What’s the name of your dog?’ and ‘What was the name of your high school?’ and reset the password.
“I think you need to get more creative with some of these challenge questions,” Wraight says. The FBI has a particularly good challenge question to foil this social media digging —what was the first bone you broke? “That’s not something you’d put on Facebook. Definitely not LinkedIn” she jokes.
Once in control of consumers’ accounts, fraudsters will email financial advisors or brokerage firms to process orders, usually with a sense of urgency around the transfer request—a death in the family or an unexpected medical emergency.
“There is so much rampant fraud that involves email, that it really is important that you encourage everyone to stick with your policies and procedures, not to fall victim to what some of these fraudsters are trying to do,” Wraight says.
What makes this situation even more alarming is that some of the feedback FINRA has received from recent cybersecurity sweeps is that a lot of firms, especially smaller firms, don’t have the resources to provide security and privacy-related training within their organization, Wraight said.
Regulators are working to address this, however. In particular FINRA is working to create educational modules for smaller firms around cybersecurity training and many firms, including Pershing, offer information around best practices procedures.