CYBER SECURITY AS A SERVICE:Opportunities for Financial Institutions, Insurers, and Benefits Providers to Drive Growth and Build Trust

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

CyberSecurityasaService:OpportunitiesforFinancialInstitutions,Insurers,AndBenefitsProviderstoDriveGrowthandBuildTrust

March2016ContentsponsoredbyCYBERSCOUT,LLC

IntroductionThefinancialservices,insurance,andbenefitsindustriesfaceintensepressuretoprovidecustomerswithservicesthatdeliverexceptionalvaluewhilealsobuildingloyaltyandtrust.Theyhavealonghistoryofdevelopingcost-effectiveproductstoprotectagainstrisk,butnowtheymustovercomeanumberofchallenges:

• Ahypercompetitiveenvironmentthatmakesitdifficulttorecruitandretainemployeesandcustomers.

• Nontraditionalcompetitorsencroachingonmarketshare.

• Governmentregulationsthatincreasecompliancerisks.

Changingtimesdemandinnovativestrategies.Onesurewaytostayaheadofthecompetition:partneringwithatrustedproviderofcybersecurityservices.FinancialInstitutions,Insurers,andBenefitsProviderscankeeptheirdatasecurewithanidentityanddatadefenseservicespartnerthatworksasanextensionoftheirbrandtodrivegrowthandenhanceemployeeandcustomerloyalty.

DataSecurityAsaCompetitiveDifferentiator

Relentlesscyberattacksoncorporateandconsumerdatahavecreatedaneweraofcyberanxiety.Securityincidentscontinuetogrowinseverityandfrequency,experiencinga38percentjumpin2015alone,comparedwiththeyearbefore.1Attackscanstrikeorganizationsandtheiremployeesandcustomers,compromisingthesehard-earnedrelationships.

Whilebusinessesaremakingsignificantinvestmentstosecuretheirsystemsanddata,individualsaresearchingforwaystoprotectthemselvesagainstidentitytheft.

MountingcyberthreatspresentFinancialInstitutions,Insurers,andBenefitsProviderswithauniqueopportunitytoofferidentityanddataprotectionservicestotheiremployeesandcustomersasanaddedvalueandcompetitivedifferentiator.Infact,consumershavecometoexpectitfromtheirvendorofchoiceandareincreasinglybroadcastingtheirexperiencesonsocialmedia.Mostholdbusinessesandorganizationsaccountableafterabreach.2Failuretodeliverthatprotectioncanweakencustomeroremployeerelationshipsandleadtochurn,withoneinfivevictimsavoidingbusinessinteractionswithbreachedorganizations.3

1“TurnaroundandTransformationinCyberSecurity:KeyFindingsfromtheGlobalStateofInformationSecuritySurvey2016,”2,PwC.2“TheConsumerDataInsecurityReport,”8,JavelinStrategy&Research,June2014.3Ibid.

Companiesareincreasinglyturningtocyberinsuranceasaresourcetoguardagainstrisk.Cyberandprivacybreachcoveragescanhelpdefrayexpensesrelatedtoservicesandsystems,aswellasconsumerdata,inthewakeofanevent.Butatrulycomprehensivecybersecuritysolutionwillincludeeducation,protectionandrestoration.End-to-endprotectionwillguardabusinessanditscustomersattheoutsetandinclude:

• Assessingthescope,scaleandseverityofthebreach

• Implementingidentityandcreditmonitoringprograms

• Complyingwithnotificationregulations,and

• Conferringwithanumberofparties,includinglegalteamsandregulatorybodieswitharegimentedvendorselectionprocess.

Providersmustfindwaystodistinguishthemselvesinacrowdedmarketplace.Newentrants,suchascreditcardcompaniesandcreditbureaus,offerarangeofproductsthatonlydeliverselectiveidentitydefenseservices.

Buildingacomprehensivecybersecurityprogramfromscratchcanbeacostlyandtime-consumingendeavor.Tosavemoneyandstrengthendefensesnow,manycompanieshireoutsidefirmsthatspecializeinidentityanddataprotection,aswellassecurityriskandinfrastructuremanagement.4Thisforesightoftenpaysoff,sincethepatchworkofregulationsandrestrictionsgoverningdatasecuritycanseemoverwhelming.

Regulations,StandardsandOtherPressuresThesteadysurgeindatabreacheshasdrawnscrutinyfromstateandfederalgovernmentregulators.Mandatorydatabreachnotificationlawsexistin47states(aswellasWashington,D.C.,Guam,PuertoRico,andtheU.S.VirginIslands).Andthereareanumberofeffortsatthefederalleveltoestablishanationwidenotificationlaw.In2015alone,Congressconsideredfourbillsthatwouldcreateafederalstandardforinformationsecurity,butthereremainsomechallengesoverwhetherafederallawshouldsupersedestatelaws.

Whilecybersecuritycoverageisn’tmandatoryforbusinesses,it’sclearthatregulatorsarefavoringincreasedprotection.5Andrecentinitiativessuggestthatgovernmentoversightwilllikelyincreaseascyberattacksproliferate.Thesedevelopmentssignalaneedforallthoseinvolvedwithconsumerand

4 “GartnerSaysWorldwideInformationSecuritySpendingWillGrowAlmost8Percentin2014asOrganizationsBecomeMoreThreat-Aware,”Gartner,Aug.22,2014.

5“RegulatorstoStepUpCyberSecurityActivity:Lawsky,”AmericanBanker,July28,2015.

“Therewereanumberofdifferentprogramsthatwereoffered(byCYBERSCOUT)thatwedidn’tseeinthecompetition(and)becauseof(CYBERSCOUT’s)pricingstructure,we’reactuallyabletobringinrevenue.”

—MannyPadilla,VPofMarketing&BusinessDevelopment,LosAngelesPoliceFederalCreditUnion

employeedatatoprepareforincreasedregulatoryrequirementsthatcouldcomedownthelineinthenearfuture.

FinancialInstitutions

FinancialInstitutions,inparticular,faceincreasedpressurefromregulatorstoenhancecybersecuritypreparednessandprotection.Andforgoodreason:Theindustryisoneofthemosttargeted.AccordingtoPwC,45percentofFinancialInstitutionswereimpactedbyeconomiccrimein2014,comparedwithonly34percentacrossallotherindustries.6Additionally,theindustryhasthesecondhighestremediationcost,at$170perrecord.7Recentregulatoryinitiativesinclude:

• SecurityExchangeCommission’s2016examinationpriorities

• FederalFinancialInstitutionsExaminationCouncil’spushforindustryparticipationintheFinancialServicesInformationSharingandAnalysisCenter

• OfficeoftheComptrolleroftheCurrency’sbanksupervisionoperatingplanfor2016.

Theseplansnotonlyprioritizecybersecurity,theyaimtoensurethatbankshavetheproperprocessesandsafeguardsinplacetoprotectbusinessandindividualcustomerdata.Toremainincompliance,financialserviceprovidersnotonlymustensurethattheirowninternalproceduresandsafeguardsareinplace,butalsothattheircustomersarepreparedforabreachandwillhaveaccesstoprovenremediationassistance.Studiesshowthatthisisgoodbusiness:79percentofsurveyrespondentssaytheyareverylikelytodobusinesswithanorganizationbecauseitoffersidentitymonitoring.8

InsuranceCarriers

Growthinthecyberinsurancemarkethasskyrocketedandwillreachanexpected$5billioninannualpremiumsby2018.9Butquestionsremainabouttheadequacyofthesepolicies.Coveragealoneisn’tenoughforpolicyholders,accordingtoPaulDelbridge,aninsurancepartneratPwC.“Giventhehighcostsofcoverage,thelimitsimposed,thetighttermsandconditions,andtherestrictionsonwhetherpolicyholderscanmakeaclaim,manypolicyholdersarequestioningwhethertheirpoliciesaredeliveringrealvalue,”Delbridgesaidina2015report.

Insurerswillmissthemarketopportunitythatcybersecuritypresentsiftheycontinuetofocusonblanketpolicyrestrictionsandconservativepricingstrategies.Innovationisrequired.Thiscanbedonethroughpartneringwithidentitytheftandbreachmanagementfirmsthatcanprovideholisticsolutionsencompassingtheentirebreachandresultingindividualfraudremediationlifecycle.Suchapartnershipcanbolsterpolicyvaluebyofferingfinancialprotection,riskmitigation,andstreamlinedexpertbreachresponsestrategies.

6“ThreatstotheFinancialServicesSector,”PwC.7“2015CostofaDataBreachCost:GlobalAnalysis,”PonemonInstitute.8GfKOmnibusServiceResearch,May16-18,2014.9“Insurance2020:Reapingthedividendsofcyberresilience,”PwC,2015.

Additionally,theNationalAssociationofInsuranceCommissioners(NAIC)continuestoputpressureonInsurerswithitsPrinciplesforEffectiveCybersecurityInsuranceRegulatoryGuidance,whichdirectsInsurers,producersandotherregulatedentitiestojoinforcesinidentifyingrisksandadoptingpracticalsolutionstoprotecttheinformationentrustedtothem.AcomponentwithintheguidancecallsforplanningforincidentresponsebyInsurersandotherregulatedentities,aswellastheregulatorsthemselves.Furthermore,NAIC’sRoadmapforCyberSecurityConsumerProtections,formerlyknownastheConsumerCyberSecurityBillofRights,detailswhatconsumerscanexpectfrominsurancecompanies,agentsandotherbusinessesfollowingabreach.

EmployeeBenefitsProviders

Thetidehasshiftedwithinthehealthandbenefitsindustry,predominantlybroughtonbytheAffordableCareAct—inparticular,theACA’svirtualmarketplaces,mandatesfortheelectronicstorageandsharingofpatientdata,andthesteadydrivetowardself-service.Healthcareprofessionalsandpatientsalikeareconcernedthatthesechangesaroundsensitivedatawillattractmalicioushackers.10Meanwhile,massivedatabreachesatmajornationalinsurancecarriershaverenewedquestionsaboutthesecurityofACAexchanges.11

Inaddition,theACAhasplacedbothemployeesandtheiremployersintheforefrontofpurchasingdecisions.EmployersareexpectingmorefromtheirBenefitsProviders,andthat’sdrivingincreasedcompetitionwithintheindustry.Tostandoutagainsttheirrivals,BenefitsProvidersareturningtonewandinnovativeofferings,movingbeyondbasicprotection,andfocusingonvalue-basedofferingsthatprovideaddedbenefitsforemployersandtheiremployeesalike.

Employersalsoaremakingeffortstoincreaseproductivity,andafactorimpactingemployees’productivityistheirfinancialwellness.Employeesspendtwotothreehoursperweekconcernedwithordealingwiththeirpersonalfinances,whichcaneatintocompanyproductivity,costingboththeemployeeandtheemployer.12Asaresult,anincreasingnumberofemployersareinvolvingthemselvesintheiremployees’financialwellnessthroughservices,toolsandeducationalcampaigns.13

SuccessfulBenefitsProvidersaremeetingthisneedbyexpandingtheirportfoliostoincludeidentitytheftprotection.14Consideringnearly20percentofemployeeshavebeenavictimofidentitytheft,theaddedvalueprovidedbythisbenefitcandriveemployeeloyaltyandretention—alwaysaboonforemployers—andhelpdifferentiateabenefitsprovider’sportfoliofromitscompetition.15

ThistrendisfurtherdrivenbychangesmadebytheIRSinlate2015,whenitexpandeditspreferentialtaxtreatmentforemployer-providedidentitytheftbenefits.Previousguidanceallowedforpreferentialtaxtreatmentforidentityprotectionservices,butonlyfollowingabreachandonlyforthoseindividuals

10“Obamacarevs.PatientDataSecurity,”InformationWeekHealthcare,March13,2014.11“AnthemHackRaisesObamacareConcerns,”TheHill,Feb.5,2015.12“5SignsofEmployeeFinancialStress,”Benefitspro,Jan.14,2015.13“EmployersWorkingtoBoostEmployeeFinancialWellness,”Benefitspro,Jan.8,201614“HowtoProtectYourBusinessandEmployeesfromIdentityTheftRisks,”CorporateWellnessMagazine,March10,2015.15“EmployeeFinancialWellnessSurvey:2015Results,”PwC,April2015.

whoseinformationmayhavebeencompromised.AccordingtotheIRS,theguidancewasexpandedinresponsetothesetypesofbenefitsbeingofferedtoindividualswithincreasingfrequency.16

End-UserKnowledgeofFraudandBreach

BusinessClients

Keepingabreastofemergingcybersecuritytrendsandensuringthatresponseplansevolveatasimilarpacearebigchallengesforanybusiness.Thereisacommonmisconceptionthatonlycertainindustriesandlargercompaniesareatriskfordatabreaches.Inreality,breachincidentsareindiscriminate,impactingallindustriesandbusinessesofallsizes.Criminalsaretargetingsmallandmidsizebusinesses(SMBs),manyofwhichlacktheresourcesandknowledgerequiredtodevelopandimplementadequatesecurityprograms.17Andhackersarelookingfordifferenttypesofdata,whetherforextortionpurposesorsimplytocauseharm.18Businessesthatalreadyhaveestablishedauniquepositionoftrustwiththeirbusinesscustomersarestrategicallyplacedtoofferrobustcybersecuritysolutions.

Ashortageofqualifiedcybersecurityprofessionals,however,haspromptedleadingbusinessestoseekoutsidesupportforriskmanagement,cybersecurityprogramdevelopment,andsecurityawarenesstraining.“Unpreparedorganizations,whennotifiedofabreachbyexternalentities,suchastheFBI,areincreasinglyemployingprofessionalsecurityserviceproviderstoaddresssecurityemergencies,”saidFrankDickson,networksecurityresearchdirectoratFrost&Sullivan.

Manycompanies—eventhosewithbreachresponseplans—areoverwhelmedbythemultitudeofsecuritybreachesandtheiraftermath.Thenumberofcompaniesputtingdatabreachresponseplansinplacehasincreasedinrecentyears.AccordingtoaPonemonInstituteDataBreachPreparednessStudy,81percentofcompanieshaveaplaninplace—a20-pointincreaseoverjusttwoyearsago.19Despitethis,manycompaniesstruggletofeelconfidentintheirabilitytomanageabreach.Accordingtothesamestudy,“organizationsaren’ttakingintoaccountthefullbreadthofproceduresthatneedtobeincorporatedintheresponseplanandaren’tconsideringthewidevarietyofsecurityincidentsthatcanhappen.”20Indeed,only32percentoforganizationsratedtheirresponseplanaseffectiveforprotectingcustomersand,similarly,only32percentsaidtheyunderstandwhatneedstobedonefollowingamaterialdatabreachtopreventnegativepublicopinion.

Partofthereasoncompaniesstruggletofeelconfidentintheirabilitytomanageabreachisalackofinternalexpertiseofresources.Companiescanaddressthisissuebypartneringwithacybersecurityconsultantthatcantakeintoaccountthecompany’sabilitytothoroughlyimplementaplanandmakerecommendationstoimprovethecompany’soverallsecurityposture.

16“RegulatoryClarityMakesIDProtectionaMoreAttractiveEmployeeBenefit,”EmployeeBenefitAdviser,Jan.20,2016.17“CyberAttacksontheRise:ArePrivateCompaniesDoingEnoughtoProtectThemselves?”PwC,2014.18“2016DataBreachIndustryForecast,”ExperianandPonemonInstitute.19“ThirdAnnualStudy:IsYourCompanyReadyforaBigDataBreach,”2,PonemonInstitute,October2015.20Ibid.

Employees,too,canplayacriticalroleforbusinessesintheircybersecuritypreparedness.Theyareoftenattherootofcyberbreachincidents,accountingfor25percentofalldatabreaches—secondbehindmaliciousorcriminalattacks.Thereason?Humanerrorandlackofknowledgerelatingtoproperproceduresandsecuritymeasures.21AccordingtothePonemonInstitute,whilemorecompaniesareputtingemployeeprivacyanddataprotectionawarenessprogramsinplace,theyareoftennotmakingthemavailabletoemployeesonaregularbasis.Manycompaniessaidtheyoffertrainingonlyonceorsporadically.Similarly,nearlyhalfofcompaniessurveyedsaidthecontentoftheirawarenessprogramsgoeswithoutreviewonaregularbasis,andjustabouthalfsaidtheseprogramsarenotprovidedaspartofnewemployeeorientationprograms.

Beyondhumanerror,companiesarealsoatriskduetomaliciousemployees.Amaliciousinsidercanbeacurrentorformeremployee,acontractor,orevenabusinesspartner—essentially,anyonewithagrudgewhohasaccesstoacompany’sconfidentialpersonalorcorporateinformation.AnInfosecurityEuropestudyalarminglyfoundthat37percentofrespondentssaidtheywouldconsiderturningovercorporatedataifitwasofbenefittothem.

TurningtoapartnerwithIT,privacy,legalandthird-partyauditingexperiencecanhelpbusinesseskeepemployeesengaged,stayuptospeedonevolvingriskassessments,and,ultimately,minimizeoveralldata-relatedrisk.

IndividualCustomers

Theneedforpersonalcybersecurityisgrowing,too,asdatabreachesthatleadtoidentitytheftproliferate.However,manypeopledon’tlookforidentityprotectionuntilafterthey’vefallenvictimtothisfast-growingcrime.Identitytheftclaimedmorethan13millionvictimsin2015.22Thecrimetakesmanyformsandhitspeopleateverystageoflife,buttograsptheseverityofthiscrime,considerthecosts:Totalfraudlossesreached$15billionin2015.Andinthepastsixyears,fraudstershavestolen$112billion,or$35,000perminute.23

Resolvingidentitytheftonyourown,however,canbeanonerousexperience.Victimsfacetime-consumingexchangeswithmanydifferentparties,includinggovernmentagencies,lawenforcementandcreditbureaus.It’salotofredtape.

Manyvictimswhodon’tknowwheretogoforreliableassistanceturntolawyersoradvertisedservicesthatarecostlyorunproven.They’reundersignificantemotionalstressandareexpecting:

• Unlimitedresolutionsupport• Creditandfraudmonitoring• Documentreplacementservices• 24/7support• Familycoverage.

21“2015CostofaDataBreachStudy:GlobalAnalysis,”11,PonemonInstitute,May2015.22“2016IdentityFraud:FraudHitsanInflectionPoint,”JavelinStrategy&Research.23Ibid.

Costsfortheseservicesvarywidely,withlittleguaranteeofdelivery.Lefttotheirowndevicesandoftenactinginresponsetoanoticethatthey’revictimsofathird-partybreach,customersandemployeesneedatrustedpartnerthatalreadyhasbeenfullyvetted.

SelectingtheRightPartnerChoosingtherightpartnerforanidentityanddatadefenseprogramisnoeasytask.Companiesmustgobeyondduediligencetoselectapartnerthatiscredibleandfamiliarwiththeirrespectiveindustry—particularlyitsgovernmentregulationrequirements.Apartneralsoshouldofferabreadthofproductsandservicesthataddressawiderangeofclient,customerandemployeeprotectionneeds.

Bewaryofdataprotectionservicesthatareone-size-fits-all,asneedswilldifferfromoneindividualorbusinesstothenext.Productsandservicesmustbecustomizabletotrulybeeffective.Forexample,CYBERSCOUT’sLifeStages®IdentityManagementServicessolutionofferson-demand,personalizedprotectionforpeopleofvariousagesandstagesoflife,eachofwhichbringsitsownuniquerisks.

Equallyparamountisapartner’sabilitytostayabreastofdevelopmentsinthecybersecurityspace,andtomodifyitsproductsandservicesastheidentitytheftanddatabreachthreatsevolveandcustomerexpectationsmature.

Fromaninternalstandpoint,it’simportantthatsuchprogramsareunderstoodbystaffinordertobeeffective.Whenchoosingtherightpartner,besuretoevaluatetheireducationandrolloutcapabilities,includingprogramorproductdevelopmentsupport,programimplementationsupport,programmarketingsupportandflexibletrainingoptions.Thepartnershipshouldallowforfrequentcheck-instoensurebothpartiesareawareofchangesthatcouldimpacttheneedforcertainfeatures.

Atrustedidentityanddatadefensepartnerwillactasatrueextensionofyourbusiness.Customersshouldhaveaccesstocontinuousmonitoringofpublicandprivatedatabases,socialmediachannels,andtheInternetblackmarketforthepresenceandpossiblemisuseofcustomeridentitiesandcreditdata.Customersalsoshouldhaveaccesstoateamofexperiencedaward-winningfraudspecialistsandinvestigatorswith10-plusyearsofexperienceinthefieldforpreventiveandresolutionsupport24/7.

ConclusionIdentityfraudanddatabreachesarehappeningeverydayandincreasinginfrequency,severityandimpact.Theyarealsocontinuouslyevolvingwithnewapproaches.Byturningtoacybersecuritypartner,

WhattoLookforinaPartner

• Credibilitywithinyourindustry• Customizableandevolvingproductsand

services• Consistentinternalsupportthroughstructured

rolloutprograms,staffeducation,marketingtools,andregularcheck-ins

• Superiorcustomerservice—andatrackrecordtoproveit

• Knowledgeofyourorganization’sneeds,andtheneedsofyouremployeesandcustomers

businessescanstayaheadofthreats—andthecompetition—withprogramsthatfostergrowthandcustomerandemployeeloyalty,whileremainingincompliance.