cyber security as a service - bna.com · pdf file—manny padilla, vp of marketing &...
TRANSCRIPT
CYBER SECURITY AS A SERVICE:Opportunities for Financial Institutions, Insurers, and Benefits Providers to Drive Growth and Build Trust
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
CyberSecurityasaService:OpportunitiesforFinancialInstitutions,Insurers,AndBenefitsProviderstoDriveGrowthandBuildTrust
March2016ContentsponsoredbyCYBERSCOUT,LLC
IntroductionThefinancialservices,insurance,andbenefitsindustriesfaceintensepressuretoprovidecustomerswithservicesthatdeliverexceptionalvaluewhilealsobuildingloyaltyandtrust.Theyhavealonghistoryofdevelopingcost-effectiveproductstoprotectagainstrisk,butnowtheymustovercomeanumberofchallenges:
• Ahypercompetitiveenvironmentthatmakesitdifficulttorecruitandretainemployeesandcustomers.
• Nontraditionalcompetitorsencroachingonmarketshare.
• Governmentregulationsthatincreasecompliancerisks.
Changingtimesdemandinnovativestrategies.Onesurewaytostayaheadofthecompetition:partneringwithatrustedproviderofcybersecurityservices.FinancialInstitutions,Insurers,andBenefitsProviderscankeeptheirdatasecurewithanidentityanddatadefenseservicespartnerthatworksasanextensionoftheirbrandtodrivegrowthandenhanceemployeeandcustomerloyalty.
DataSecurityAsaCompetitiveDifferentiator
Relentlesscyberattacksoncorporateandconsumerdatahavecreatedaneweraofcyberanxiety.Securityincidentscontinuetogrowinseverityandfrequency,experiencinga38percentjumpin2015alone,comparedwiththeyearbefore.1Attackscanstrikeorganizationsandtheiremployeesandcustomers,compromisingthesehard-earnedrelationships.
Whilebusinessesaremakingsignificantinvestmentstosecuretheirsystemsanddata,individualsaresearchingforwaystoprotectthemselvesagainstidentitytheft.
MountingcyberthreatspresentFinancialInstitutions,Insurers,andBenefitsProviderswithauniqueopportunitytoofferidentityanddataprotectionservicestotheiremployeesandcustomersasanaddedvalueandcompetitivedifferentiator.Infact,consumershavecometoexpectitfromtheirvendorofchoiceandareincreasinglybroadcastingtheirexperiencesonsocialmedia.Mostholdbusinessesandorganizationsaccountableafterabreach.2Failuretodeliverthatprotectioncanweakencustomeroremployeerelationshipsandleadtochurn,withoneinfivevictimsavoidingbusinessinteractionswithbreachedorganizations.3
1“TurnaroundandTransformationinCyberSecurity:KeyFindingsfromtheGlobalStateofInformationSecuritySurvey2016,”2,PwC.2“TheConsumerDataInsecurityReport,”8,JavelinStrategy&Research,June2014.3Ibid.
Companiesareincreasinglyturningtocyberinsuranceasaresourcetoguardagainstrisk.Cyberandprivacybreachcoveragescanhelpdefrayexpensesrelatedtoservicesandsystems,aswellasconsumerdata,inthewakeofanevent.Butatrulycomprehensivecybersecuritysolutionwillincludeeducation,protectionandrestoration.End-to-endprotectionwillguardabusinessanditscustomersattheoutsetandinclude:
• Assessingthescope,scaleandseverityofthebreach
• Implementingidentityandcreditmonitoringprograms
• Complyingwithnotificationregulations,and
• Conferringwithanumberofparties,includinglegalteamsandregulatorybodieswitharegimentedvendorselectionprocess.
Providersmustfindwaystodistinguishthemselvesinacrowdedmarketplace.Newentrants,suchascreditcardcompaniesandcreditbureaus,offerarangeofproductsthatonlydeliverselectiveidentitydefenseservices.
Buildingacomprehensivecybersecurityprogramfromscratchcanbeacostlyandtime-consumingendeavor.Tosavemoneyandstrengthendefensesnow,manycompanieshireoutsidefirmsthatspecializeinidentityanddataprotection,aswellassecurityriskandinfrastructuremanagement.4Thisforesightoftenpaysoff,sincethepatchworkofregulationsandrestrictionsgoverningdatasecuritycanseemoverwhelming.
Regulations,StandardsandOtherPressuresThesteadysurgeindatabreacheshasdrawnscrutinyfromstateandfederalgovernmentregulators.Mandatorydatabreachnotificationlawsexistin47states(aswellasWashington,D.C.,Guam,PuertoRico,andtheU.S.VirginIslands).Andthereareanumberofeffortsatthefederalleveltoestablishanationwidenotificationlaw.In2015alone,Congressconsideredfourbillsthatwouldcreateafederalstandardforinformationsecurity,butthereremainsomechallengesoverwhetherafederallawshouldsupersedestatelaws.
Whilecybersecuritycoverageisn’tmandatoryforbusinesses,it’sclearthatregulatorsarefavoringincreasedprotection.5Andrecentinitiativessuggestthatgovernmentoversightwilllikelyincreaseascyberattacksproliferate.Thesedevelopmentssignalaneedforallthoseinvolvedwithconsumerand
4 “GartnerSaysWorldwideInformationSecuritySpendingWillGrowAlmost8Percentin2014asOrganizationsBecomeMoreThreat-Aware,”Gartner,Aug.22,2014.
5“RegulatorstoStepUpCyberSecurityActivity:Lawsky,”AmericanBanker,July28,2015.
“Therewereanumberofdifferentprogramsthatwereoffered(byCYBERSCOUT)thatwedidn’tseeinthecompetition(and)becauseof(CYBERSCOUT’s)pricingstructure,we’reactuallyabletobringinrevenue.”
—MannyPadilla,VPofMarketing&BusinessDevelopment,LosAngelesPoliceFederalCreditUnion
employeedatatoprepareforincreasedregulatoryrequirementsthatcouldcomedownthelineinthenearfuture.
FinancialInstitutions
FinancialInstitutions,inparticular,faceincreasedpressurefromregulatorstoenhancecybersecuritypreparednessandprotection.Andforgoodreason:Theindustryisoneofthemosttargeted.AccordingtoPwC,45percentofFinancialInstitutionswereimpactedbyeconomiccrimein2014,comparedwithonly34percentacrossallotherindustries.6Additionally,theindustryhasthesecondhighestremediationcost,at$170perrecord.7Recentregulatoryinitiativesinclude:
• SecurityExchangeCommission’s2016examinationpriorities
• FederalFinancialInstitutionsExaminationCouncil’spushforindustryparticipationintheFinancialServicesInformationSharingandAnalysisCenter
• OfficeoftheComptrolleroftheCurrency’sbanksupervisionoperatingplanfor2016.
Theseplansnotonlyprioritizecybersecurity,theyaimtoensurethatbankshavetheproperprocessesandsafeguardsinplacetoprotectbusinessandindividualcustomerdata.Toremainincompliance,financialserviceprovidersnotonlymustensurethattheirowninternalproceduresandsafeguardsareinplace,butalsothattheircustomersarepreparedforabreachandwillhaveaccesstoprovenremediationassistance.Studiesshowthatthisisgoodbusiness:79percentofsurveyrespondentssaytheyareverylikelytodobusinesswithanorganizationbecauseitoffersidentitymonitoring.8
InsuranceCarriers
Growthinthecyberinsurancemarkethasskyrocketedandwillreachanexpected$5billioninannualpremiumsby2018.9Butquestionsremainabouttheadequacyofthesepolicies.Coveragealoneisn’tenoughforpolicyholders,accordingtoPaulDelbridge,aninsurancepartneratPwC.“Giventhehighcostsofcoverage,thelimitsimposed,thetighttermsandconditions,andtherestrictionsonwhetherpolicyholderscanmakeaclaim,manypolicyholdersarequestioningwhethertheirpoliciesaredeliveringrealvalue,”Delbridgesaidina2015report.
Insurerswillmissthemarketopportunitythatcybersecuritypresentsiftheycontinuetofocusonblanketpolicyrestrictionsandconservativepricingstrategies.Innovationisrequired.Thiscanbedonethroughpartneringwithidentitytheftandbreachmanagementfirmsthatcanprovideholisticsolutionsencompassingtheentirebreachandresultingindividualfraudremediationlifecycle.Suchapartnershipcanbolsterpolicyvaluebyofferingfinancialprotection,riskmitigation,andstreamlinedexpertbreachresponsestrategies.
6“ThreatstotheFinancialServicesSector,”PwC.7“2015CostofaDataBreachCost:GlobalAnalysis,”PonemonInstitute.8GfKOmnibusServiceResearch,May16-18,2014.9“Insurance2020:Reapingthedividendsofcyberresilience,”PwC,2015.
Additionally,theNationalAssociationofInsuranceCommissioners(NAIC)continuestoputpressureonInsurerswithitsPrinciplesforEffectiveCybersecurityInsuranceRegulatoryGuidance,whichdirectsInsurers,producersandotherregulatedentitiestojoinforcesinidentifyingrisksandadoptingpracticalsolutionstoprotecttheinformationentrustedtothem.AcomponentwithintheguidancecallsforplanningforincidentresponsebyInsurersandotherregulatedentities,aswellastheregulatorsthemselves.Furthermore,NAIC’sRoadmapforCyberSecurityConsumerProtections,formerlyknownastheConsumerCyberSecurityBillofRights,detailswhatconsumerscanexpectfrominsurancecompanies,agentsandotherbusinessesfollowingabreach.
EmployeeBenefitsProviders
Thetidehasshiftedwithinthehealthandbenefitsindustry,predominantlybroughtonbytheAffordableCareAct—inparticular,theACA’svirtualmarketplaces,mandatesfortheelectronicstorageandsharingofpatientdata,andthesteadydrivetowardself-service.Healthcareprofessionalsandpatientsalikeareconcernedthatthesechangesaroundsensitivedatawillattractmalicioushackers.10Meanwhile,massivedatabreachesatmajornationalinsurancecarriershaverenewedquestionsaboutthesecurityofACAexchanges.11
Inaddition,theACAhasplacedbothemployeesandtheiremployersintheforefrontofpurchasingdecisions.EmployersareexpectingmorefromtheirBenefitsProviders,andthat’sdrivingincreasedcompetitionwithintheindustry.Tostandoutagainsttheirrivals,BenefitsProvidersareturningtonewandinnovativeofferings,movingbeyondbasicprotection,andfocusingonvalue-basedofferingsthatprovideaddedbenefitsforemployersandtheiremployeesalike.
Employersalsoaremakingeffortstoincreaseproductivity,andafactorimpactingemployees’productivityistheirfinancialwellness.Employeesspendtwotothreehoursperweekconcernedwithordealingwiththeirpersonalfinances,whichcaneatintocompanyproductivity,costingboththeemployeeandtheemployer.12Asaresult,anincreasingnumberofemployersareinvolvingthemselvesintheiremployees’financialwellnessthroughservices,toolsandeducationalcampaigns.13
SuccessfulBenefitsProvidersaremeetingthisneedbyexpandingtheirportfoliostoincludeidentitytheftprotection.14Consideringnearly20percentofemployeeshavebeenavictimofidentitytheft,theaddedvalueprovidedbythisbenefitcandriveemployeeloyaltyandretention—alwaysaboonforemployers—andhelpdifferentiateabenefitsprovider’sportfoliofromitscompetition.15
ThistrendisfurtherdrivenbychangesmadebytheIRSinlate2015,whenitexpandeditspreferentialtaxtreatmentforemployer-providedidentitytheftbenefits.Previousguidanceallowedforpreferentialtaxtreatmentforidentityprotectionservices,butonlyfollowingabreachandonlyforthoseindividuals
10“Obamacarevs.PatientDataSecurity,”InformationWeekHealthcare,March13,2014.11“AnthemHackRaisesObamacareConcerns,”TheHill,Feb.5,2015.12“5SignsofEmployeeFinancialStress,”Benefitspro,Jan.14,2015.13“EmployersWorkingtoBoostEmployeeFinancialWellness,”Benefitspro,Jan.8,201614“HowtoProtectYourBusinessandEmployeesfromIdentityTheftRisks,”CorporateWellnessMagazine,March10,2015.15“EmployeeFinancialWellnessSurvey:2015Results,”PwC,April2015.
whoseinformationmayhavebeencompromised.AccordingtotheIRS,theguidancewasexpandedinresponsetothesetypesofbenefitsbeingofferedtoindividualswithincreasingfrequency.16
End-UserKnowledgeofFraudandBreach
BusinessClients
Keepingabreastofemergingcybersecuritytrendsandensuringthatresponseplansevolveatasimilarpacearebigchallengesforanybusiness.Thereisacommonmisconceptionthatonlycertainindustriesandlargercompaniesareatriskfordatabreaches.Inreality,breachincidentsareindiscriminate,impactingallindustriesandbusinessesofallsizes.Criminalsaretargetingsmallandmidsizebusinesses(SMBs),manyofwhichlacktheresourcesandknowledgerequiredtodevelopandimplementadequatesecurityprograms.17Andhackersarelookingfordifferenttypesofdata,whetherforextortionpurposesorsimplytocauseharm.18Businessesthatalreadyhaveestablishedauniquepositionoftrustwiththeirbusinesscustomersarestrategicallyplacedtoofferrobustcybersecuritysolutions.
Ashortageofqualifiedcybersecurityprofessionals,however,haspromptedleadingbusinessestoseekoutsidesupportforriskmanagement,cybersecurityprogramdevelopment,andsecurityawarenesstraining.“Unpreparedorganizations,whennotifiedofabreachbyexternalentities,suchastheFBI,areincreasinglyemployingprofessionalsecurityserviceproviderstoaddresssecurityemergencies,”saidFrankDickson,networksecurityresearchdirectoratFrost&Sullivan.
Manycompanies—eventhosewithbreachresponseplans—areoverwhelmedbythemultitudeofsecuritybreachesandtheiraftermath.Thenumberofcompaniesputtingdatabreachresponseplansinplacehasincreasedinrecentyears.AccordingtoaPonemonInstituteDataBreachPreparednessStudy,81percentofcompanieshaveaplaninplace—a20-pointincreaseoverjusttwoyearsago.19Despitethis,manycompaniesstruggletofeelconfidentintheirabilitytomanageabreach.Accordingtothesamestudy,“organizationsaren’ttakingintoaccountthefullbreadthofproceduresthatneedtobeincorporatedintheresponseplanandaren’tconsideringthewidevarietyofsecurityincidentsthatcanhappen.”20Indeed,only32percentoforganizationsratedtheirresponseplanaseffectiveforprotectingcustomersand,similarly,only32percentsaidtheyunderstandwhatneedstobedonefollowingamaterialdatabreachtopreventnegativepublicopinion.
Partofthereasoncompaniesstruggletofeelconfidentintheirabilitytomanageabreachisalackofinternalexpertiseofresources.Companiescanaddressthisissuebypartneringwithacybersecurityconsultantthatcantakeintoaccountthecompany’sabilitytothoroughlyimplementaplanandmakerecommendationstoimprovethecompany’soverallsecurityposture.
16“RegulatoryClarityMakesIDProtectionaMoreAttractiveEmployeeBenefit,”EmployeeBenefitAdviser,Jan.20,2016.17“CyberAttacksontheRise:ArePrivateCompaniesDoingEnoughtoProtectThemselves?”PwC,2014.18“2016DataBreachIndustryForecast,”ExperianandPonemonInstitute.19“ThirdAnnualStudy:IsYourCompanyReadyforaBigDataBreach,”2,PonemonInstitute,October2015.20Ibid.
Employees,too,canplayacriticalroleforbusinessesintheircybersecuritypreparedness.Theyareoftenattherootofcyberbreachincidents,accountingfor25percentofalldatabreaches—secondbehindmaliciousorcriminalattacks.Thereason?Humanerrorandlackofknowledgerelatingtoproperproceduresandsecuritymeasures.21AccordingtothePonemonInstitute,whilemorecompaniesareputtingemployeeprivacyanddataprotectionawarenessprogramsinplace,theyareoftennotmakingthemavailabletoemployeesonaregularbasis.Manycompaniessaidtheyoffertrainingonlyonceorsporadically.Similarly,nearlyhalfofcompaniessurveyedsaidthecontentoftheirawarenessprogramsgoeswithoutreviewonaregularbasis,andjustabouthalfsaidtheseprogramsarenotprovidedaspartofnewemployeeorientationprograms.
Beyondhumanerror,companiesarealsoatriskduetomaliciousemployees.Amaliciousinsidercanbeacurrentorformeremployee,acontractor,orevenabusinesspartner—essentially,anyonewithagrudgewhohasaccesstoacompany’sconfidentialpersonalorcorporateinformation.AnInfosecurityEuropestudyalarminglyfoundthat37percentofrespondentssaidtheywouldconsiderturningovercorporatedataifitwasofbenefittothem.
TurningtoapartnerwithIT,privacy,legalandthird-partyauditingexperiencecanhelpbusinesseskeepemployeesengaged,stayuptospeedonevolvingriskassessments,and,ultimately,minimizeoveralldata-relatedrisk.
IndividualCustomers
Theneedforpersonalcybersecurityisgrowing,too,asdatabreachesthatleadtoidentitytheftproliferate.However,manypeopledon’tlookforidentityprotectionuntilafterthey’vefallenvictimtothisfast-growingcrime.Identitytheftclaimedmorethan13millionvictimsin2015.22Thecrimetakesmanyformsandhitspeopleateverystageoflife,buttograsptheseverityofthiscrime,considerthecosts:Totalfraudlossesreached$15billionin2015.Andinthepastsixyears,fraudstershavestolen$112billion,or$35,000perminute.23
Resolvingidentitytheftonyourown,however,canbeanonerousexperience.Victimsfacetime-consumingexchangeswithmanydifferentparties,includinggovernmentagencies,lawenforcementandcreditbureaus.It’salotofredtape.
Manyvictimswhodon’tknowwheretogoforreliableassistanceturntolawyersoradvertisedservicesthatarecostlyorunproven.They’reundersignificantemotionalstressandareexpecting:
• Unlimitedresolutionsupport• Creditandfraudmonitoring• Documentreplacementservices• 24/7support• Familycoverage.
21“2015CostofaDataBreachStudy:GlobalAnalysis,”11,PonemonInstitute,May2015.22“2016IdentityFraud:FraudHitsanInflectionPoint,”JavelinStrategy&Research.23Ibid.
Costsfortheseservicesvarywidely,withlittleguaranteeofdelivery.Lefttotheirowndevicesandoftenactinginresponsetoanoticethatthey’revictimsofathird-partybreach,customersandemployeesneedatrustedpartnerthatalreadyhasbeenfullyvetted.
SelectingtheRightPartnerChoosingtherightpartnerforanidentityanddatadefenseprogramisnoeasytask.Companiesmustgobeyondduediligencetoselectapartnerthatiscredibleandfamiliarwiththeirrespectiveindustry—particularlyitsgovernmentregulationrequirements.Apartneralsoshouldofferabreadthofproductsandservicesthataddressawiderangeofclient,customerandemployeeprotectionneeds.
Bewaryofdataprotectionservicesthatareone-size-fits-all,asneedswilldifferfromoneindividualorbusinesstothenext.Productsandservicesmustbecustomizabletotrulybeeffective.Forexample,CYBERSCOUT’sLifeStages®IdentityManagementServicessolutionofferson-demand,personalizedprotectionforpeopleofvariousagesandstagesoflife,eachofwhichbringsitsownuniquerisks.
Equallyparamountisapartner’sabilitytostayabreastofdevelopmentsinthecybersecurityspace,andtomodifyitsproductsandservicesastheidentitytheftanddatabreachthreatsevolveandcustomerexpectationsmature.
Fromaninternalstandpoint,it’simportantthatsuchprogramsareunderstoodbystaffinordertobeeffective.Whenchoosingtherightpartner,besuretoevaluatetheireducationandrolloutcapabilities,includingprogramorproductdevelopmentsupport,programimplementationsupport,programmarketingsupportandflexibletrainingoptions.Thepartnershipshouldallowforfrequentcheck-instoensurebothpartiesareawareofchangesthatcouldimpacttheneedforcertainfeatures.
Atrustedidentityanddatadefensepartnerwillactasatrueextensionofyourbusiness.Customersshouldhaveaccesstocontinuousmonitoringofpublicandprivatedatabases,socialmediachannels,andtheInternetblackmarketforthepresenceandpossiblemisuseofcustomeridentitiesandcreditdata.Customersalsoshouldhaveaccesstoateamofexperiencedaward-winningfraudspecialistsandinvestigatorswith10-plusyearsofexperienceinthefieldforpreventiveandresolutionsupport24/7.
ConclusionIdentityfraudanddatabreachesarehappeningeverydayandincreasinginfrequency,severityandimpact.Theyarealsocontinuouslyevolvingwithnewapproaches.Byturningtoacybersecuritypartner,
WhattoLookforinaPartner
• Credibilitywithinyourindustry• Customizableandevolvingproductsand
services• Consistentinternalsupportthroughstructured
rolloutprograms,staffeducation,marketingtools,andregularcheck-ins
• Superiorcustomerservice—andatrackrecordtoproveit
• Knowledgeofyourorganization’sneeds,andtheneedsofyouremployeesandcustomers