MADISON, Wis. – Recent data breaches at Kmart and Dairy Queen, combined with earlier breaches at JPMorgan Chase, Target, The Home Depot and other retailers has put a bright light on the new risk level of data theft and security, and the role of cyber liability insurance policies.
Credit unions aren’t immune to the growing risk, CUNA Mutual Group’s Jay Morgan and Beazley Group’s Katherine Keefe said during a CUNA Mutual Discovery Conference session earlier today.
Morgan, director of Product Management at CUNA Mutual Group, said the explosion of mobile devices and technology advances have significantly increased this risk, especially in financial services industries. In 2013, cyber risk incidents totaled more than 61,000, of which more than 800 were with financial services organizations.
“You work hard to earn the trust of your members, and every cyber incident attempts to erode that trust,” said Morgan. “The potential loss or impact to a credit union ranges from hard costs in revenue, legal fees, IT and operations to significant losses in customer loyalty, brand reputation, and employee morale.”
The average total cost of a data breach today is approximately $3.5 million, with the average cost of customer notification reaching almost $510,000, CUNA Mutual said. As a result, there is a growing interest among organizations to shift certain costs by transferring risk through a cyber liability insurance policy.
“When you consider cyber liability insurance policies and the companies that offer them, credit unions also need to consider the tools and resources available to help you recover from a data breach,” Morgan said. “All too often we find most organizations just don’t know where to start when they suffer a breach.”
Keefe, head of breach response services at Beazley, offered more insight into cyber risks specific to credit unions, noting 31% of all credit union security and data breaches occurred as unintended disclosure, with an increased rise in malware activity.
“There is an uptick in social engineering with increased sophistication to target senior executives with very realistic emails from trade associations they belong to,” said Keefe, adding that lost or stolen laptops and mobile devices continue to raise concern because organizations are not doing enough to improve encryption with these devices.
To add further complexity to cyber risk, all financial institutions are required to adhere to certain breach notification requirements specific to investigation and member notification, she said.
“State regulators are taking more action regarding customer notification adding to the complexity of this ever-changing regulatory environment,” added Keefe.