The news: Banks and financial institutions face ever-evolving cyber risks, but paying for cyber insurance might not be part of their mitigation plans, per American Banker.
Greatest risks to banks: A report from the Financial Services Information Sharing and Analysis Center—a consortium of 16,000 bank and FI members that hold roughly $100 trillion in assets—identified the biggest cyber concerns banks face in 2023:
- Ransomware as a service (RaaS): RaaS involves a bad actor selling its services to people who have a specific target for malware. The report found that professional, scientific, and technical services sectors and financial services and insurance are some of the top industries targeted by RaaS. Alarmingly, professional, scientific, and technical services encompass many third-party suppliers and vendors to the financial services sector.
- Hacktivism: These cyber attacks are motivated by political and ideological beliefs. The financial services sector experienced an uptick in hacktivism at the beginning of the war in Ukraine, but it hasn’t yet been significantly impacted.
- Artificial intelligence (AI) and large-language models: Generative AI has exploded in popularity, but banks and FIs are quickly learning that risks accompany this powerful technology. Bad actors will use large-language models like ChatGPT to create phishing emails, write malware, and complete other malicious tasks. But it’s not all bad news: AI can also be used to take defensive measures against bad actors using the same technology.
Low risk, high cost: The consortium has created a global scale that rates the level of cybersecurity threat that various regions face at any given time. Currently, all regions covered by the scale are at the lowest threat level, though last year US-based banks and FIs sat in an “elevated” state, the second-lowest threat level.
- The low threat level doesn’t mean that banks and FIs can be lax in their cybersecurity practices. In the constantly changing cyber environment, banks must be ready for an attack at any moment.
- But despite the seriousness of cyber attacks, banks and FIs are struggling to keep up with the cost of cyber insurance. The report cites significant increases in insurance premiums, more carve-outs and exclusions in insurance policies, and a massive list of minimum requirements as factors driving banks to opt out of cyber insurance.
- Some insurers are requiring FIs to keep a ransom negotiator on retainer, and other insurers are excluding ransomware from their policies altogether. Premiums can range from £100,000 ($118,000) to over £1.5 million ($1.76 million), per CSO online.
The bottom line: Banks and FIs should conduct a thorough cost-benefit analysis before jumping into cyber insurance. Cyber insurance isn’t a substitute for cybersecurity, and if firms can’t find a reasonably priced insurance policy that fully covers the risks they’re trying to mitigate, they might be better off using their funds to invest in cybersecurity improvements. The last thing banks will want to deal with is a massive cyber security breach and a cyber insurance policy that’s deemed null.