Why Is The “We’re Not Big Enough” Defense A Fallacy?
In the past few months, the news has reported on a record-breaking breach suffered by Yahoo, the barrage of hacked emails from members of the Democratic Party and a massive cyber attack that shut down a number of major online entities, including Twitter, Amazon, Netflix and PayPal. While these attacks would seem to act as a warning sign that businesses need to better protect their data and their company from the affects of a cyber attack, many executives instead dangerously assume they’re safe. “After all,” the reasoning goes, “hackers are only interested in huge targets, such as multinational corporations and political parties. They won’t go after me. I’m too small.”
Of course, that outlook flies in the face of current statistics, which suggest that every company–no matter the size–is at risk. In its 2016 Internet Security Threat Report, Symantec noted there is plenty of hacking to go around. Of the companies in their study, small businesses (fewer than 250 employees) accounted for 43% of all attacks, medium size (250-2,500 employees) 22% and large corporations (2500+) 35%. The report also noted that there’s been a steady increase in attacks on companies with fewer than 250 employees over the last five years. In fact, attacks on those companies jumped 11% from 2014 to 2015.
One explanation for this jump in attacks on small to mid-size companies is obvious. Hackers know these companies are less likely to have a data security plan in place, making them an easier target. Even more, it’s becoming easier for them to initiate attacks through automated malicious code that gets access to your system and sends back the data. Thanks to these unmanned attacks, they don’t need to expend much energy to attack smaller companies making it more worth the effort.
Now in addition to the fact that your data may not be well protected and hacking has become easier, throw into the mix that you’re in the mortgage banking business and collect personal information from your customers, prospects and employees. Put that all together, and it’s no stretch of the imagination to see how your firm could be the perfect target for an enterprising cyber thief.
What Do Cyber Thieves Want From Your Business?
Cyber thieves want data, and the data you collect is particularly valuable to them. In 2015, according to the Symantec report, the top information exposed can all be categorized as personally identifiable information (PII):
- Real names (exposed in 78% of all breaches in the study)
- Home addresses (44%)
- Birth dates (41%)
- Government ID numbers, such as social security numbers (38%)
This is a shift from previous years when financial information, such as credit cards, was the stolen data of choice, enabling hackers to ring up fraudulent purchases on someone else’s dime. But, credit card companies and users have become quicker to notice atypical purchases, limiting the usefulness of stolen credit card data to the individual hacker and the black market value if they should try to resell the data. As a result, financial info (which includes credit card details and other financial credentials) has dropped from number four in 2014 to number six on the above list.
On the other hand, personally identifiable information offers cyber thieves greater flexibility. Forget stealing one person’s credit card data. With personally identifiable info, a cyber thief can open up countless credit cards in another person’s name. That hacker can also obtain fraudulent government IDs, apply for loans, commit health insurance or Medicare fraud, file for fraudulent tax refunds, resell the data and more.
In a January 2016 press release put out by the Identity Theft Resource Center (ITRC), which tracks breach information made publicly available, they noted that 2014 was the year of the credit card breach, citing 64.4 million debit/credit cards exposed due to breaches. In contrast, 2015 saw breaches expose only 800 thousand debit/credit cards. That significant drop is because hackers were putting their energies into stealing over 164.4 million social security numbers. Appropriately enough, ITRC dubbed 2015 the year of the social security number breach.
Of course, this personally identifiable information (along with a host of other valuable information) is the exact info you need from customers and prospects when you originate or service loans. Even more, you collect much of this same information from your own employees. This helps explain why, according to the ITRC release, the Financial/Banking/Credit industry was ranked third in number of reported breaches (behind Business/Service at number one and Healthcare at number two). This marks the first time the financial industry—your industry—has cracked the top three.
What Could The Cost Of A Data Breach Be To Someone In The Mortgage Banking Industry?
The most important factor in determining the cost of a data breach is not revenue, number of employees or even number of originated loans but rather the total number of records in your database, which can include past and present customers, prospects and employees.
In its 2016 Cost of Data Breach Study, The Ponemon Institute, an organization that conducts research on privacy, data protection and information security policy, found that the average cost per lost or stolen record for a US company in 2015 was $221. They further broke down that $221 into $76 spent on direct costs incurred to resolve the data breach, such as investments in technologies or legal fees, and $145 spent on indirect costs, which included notification efforts and customer turnover.
Even more, the average cost per lost or stolen record for a company in the financial industry was $264. This rate was greater than the average because this industry is more highly regulated (companies could face fines for their breach) and because, when breached, companies in this industry suffer a higher-than-average loss of business and customers.
So, using this average cost per record, even a database of only one thousand records could end up costing you somewhere in the neighborhood of $264,000. How many records do you have in your database? Thousands? Tens of thousands? Hundreds of thousands? The Ponemon Institute found that, of the companies they studied, the average total cost of a data breach was over $7 million. What would be the repercussions if your company suddenly had to deal with a $7 million loss?
How Can Your Firm Protect Itself From Losses Due To A Data Breach?
The first step is to review your current processes and inherent risks. Some of the main questions to ask are:
- What data do you store?
- Where is the data stored? What protections are in place?
- Is it backed up? What protections are in place for the backups?
- Who has access?
- What devices are being used (computers, tablets, smart phones, printers, etc.)? Are they encrypted?
- What are your agreements with third-party vendors?
The extent and cost of a data breach can be reduced if you put into place data governance initiatives. These initiatives act as quality control protocols for how to protect, manage and use your data and should include appointing a Chief Information Security Officer (CISO), creating a business continuity management strategy that identifies your company’s risk of a breach, developing an incident response plan and training employees on proper procedures as well as making them aware of potential threats. Once the strategies are in place, you can then start looking at more tactical executions, such as installing data loss prevention software, which limits the ability of users to send sensitive information outside the corporate network, as well as encryption and endpoint security solutions, which ensures devices connected to your network follow a defined level of compliance and security standards.
While the above recommendations will take some to implement, there are other simpler solutions you can begin undertaking right away.
Use Strong Passwords
Passwords should be at least 10 characters and include a mix of lower and upper case letters, numbers and non-alphanumeric characters and symbols. Avoid using actual words since hackers can run software that checks for every word in the dictionary (and please, please, please don’t use password, password1 or admin). You can also use a password generator (to develop a password) or aggregator (to store your passwords). Just make sure that if you’re digitally saving passwords, the only way to access them is through a password that you must remember and key in–don’t store that password on your computer or device. This way you limit the damage if your computer or device is lost or stolen.
Enact Strong Password Protocols
Be smart in how you use passwords in your system. Don’t reuse passwords in multiple places (otherwise a compromise of one can give a hacker access to other systems). Instead of sharing one account and one password, give everyone unique login credentials. That way you can easily shut down and create a new account if one is compromised. Additionally, it will be easy to turn off that account once an employee is no longer with the company (and protects you in case they don’t leave on the best terms). Lastly, compartmentalize access. By only giving your employees access to the data they need and not the whole system, you’re limiting exposure should a breach occur.
Keep the software, browsers and applications on your computers, phones, etc. up to date. Old software can have vulnerabilities that hackers can exploit.
Back Up Regularly, Have A Plan To Restore Data
If data is corrupted, locked up in a ransomware scheme or undergoes some other emergency, you want to be able to restore the backup quickly to minimize downtime.
Educate Your Team
Many breaches occur because employees just aren’t aware of the cyber threats, especially how thieves might try to deceive them through email, websites and now social media. Train them on how to protect their passwords and properly react to attachments, links and information requests sent to them in emails (by both trusted and unknown senders) and to let the proper team members know if they notice anything suspicious. Ultimately, encouraging awareness and good habits among your team can positively affect your data security.
Why Do You Need Cyber Liability Insurance?
Good procedures will greatly limit the chance that you could suffer a data breach. But, human error, the speed with which new technologies are introduced and the tenacity of cyber thieves means there’s no 100% solution. So, should a breach actually occur, Cyber Liability Insurance can then be the second line of defense, protecting your company from the immense expenses that you would otherwise have to pay out of pocket.
Most Cyber Liability Policies will cover the costs of reasonable expenses that are the necessary in response to a breach and therefore may include:
- IT expenses, including forensics
- Public relations and advertising to alert the public and perform image damage control
- Notification expenses, such as emails or printing and mailing letters
- Call centers to answer customer questions
- Credit monitoring for those affected
- Legal fees
As an added bonus, many Cyber Liability insurance products include a risk management component, which can include sample policies, recommended procedures and other best practices that give your company a framework to follow in developing a plan for managing cyber risk.
When seeking out Cyber Liability coverage, work with a qualified insurance agent or broker who has experience working with companies in the mortgage banking industry so that the coverage, limits and other elements are written to the needs of your specific company. You will need to make sure that the policy covers your major areas of exposure and that the limit is high enough to protect you from your potential loss. Here’s where looking at your total data records multiplied by the average cost per record of lost or stolen data is key.
While premiums have been increasing for this coverage as of late, they’re still quite reasonable, especially when comparing policy limits to the potential out-of-pocket risk.
Ultimately, What’s The Biggest Threat To Your Business?
Inaction. You need to acknowledge that a cyber attack against your business is a possibility (maybe even an inevitability) and make a conscious decision to take action and protect your data, customers, business and bottom line.
Nonetheless, despite all the warning signs, many are still not motivated to act, letting the supposed cost, time and labor of enacting proper protocols or purchasing insurance outweigh the very real and much higher cost they’d incur if their system was breached.
Consider CFO Magazine’s 2016 survey of 233 CFOs:
- 22% reported an attack in the last 24 months.
- 57.5% said cyber security is a top concern.
- YET, only 23.9% are buying Cyber Insurance.
- And, only 11.7% have taken the time to estimate the cost of a cyber attack.
Given the number of past attacks and the respondents concern about future attacks, it’s actually startling to see how few CFOs in the survey are estimating the potential expense of an attack AND how few are seeking out insurance (only slightly more than the number that have been the victim of an attack).
Data breaches are a part of business now. Like Property and Casualty or Workers’ Comp, you need to treat the cyber threat like any other risk to your business and purchase the appropriate coverage. While it’s true, you may have to spend thousands or even tens of thousands now to enact a cyber plan that puts into place safe protocols and includes Cyber Liability Insurance. Keep in mind that the average cost in 2015 for a data breach was over $7 million. Investing now can save your company millions in the future.
* * *
Lee Brodsky has specialized in insurance for the mortgage banking and financial services industry for more than 30 years. In May 2004, he established Mortgage Banking Insurance Group at JMB Insurance. As an independent brokerage, his group helps mortgage bankers and brokers procure various insurance coverages that meet client goals and satisfy investor, GSE or warehouse lender requirements.