By Ted Frizen, Insurance Consultant, Financial PSI
Cyber crime, especially ransomware attacks are increasing at an alarming rate. Ransomware is a form of malware designed to encrypt files on a device making any file and the systems that rely on them unusable. Cyber criminals then demand ransom in exchange for decryption. Ransomware attacks can significantly impact your banks processes and leave the bank without the data needed to operate and deliver services to your customers. Not only do you have the financial risk mentioned above but also the reputational risk that your bank would have if your customers don’t feel that your systems are secure.
Due to the rise of these attacks most cyber insurers are starting to limit coverage and the underwriters and regulators are taking a fine-toothed comb look into your cybersecurity practices. At renewal, almost all and soon to be all of our carriers are asking for insureds to increase protections, most notable multi-factor authentication (MFA). Most of these insurers have added a very detailed ransomware supplemental application and are issuing non-renewal notices to all those that do not properly answer the questions on these applications. It is estimated that by properly implementing MFA that 99.9% of account compromise attacks can be blocked.1 Also 94% of ransomware victims investigated did not use MFA.2
What is MFA? Simply stated multi-factor authentication is the use of two or more authentication factors in order to verify a user’s identity prior to gaining access to your system. It can be a password, a text sent to a mobile phone or something like biometric identification like a fingerprint. These layers of security make it more difficult for the cyber criminals to access a bank’s system.
Since we all have many passwords for all of our various systems, many times this is the weakest link in a bank’s cyber security. Most of us get lazy with our passwords and this makes them easier to be compromised. According to the 2017 Verizon Data Breach Report, “weak or stolen passwords were responsible for 80% of the hacking related breaches.”3
There are three access points that definitely need to be protected by MFA. First, MFA is a must for remote network access. This security control will reduce the potential for a network compromise caused by lost or stolen passwords. If this is not in place a criminal can gain access to a bank’s network and look like an authorized user. Second, a bank must use MFA for both remote and internal administrative access. This helps prevent criminals that have compromised an internal system from obtaining privileges and obtaining broader access to the network. If the criminal gains this type of access, they can deploy ransomware across the network and can even turn off anti-malware protection. The third access point to protect with MFA is remote access to email. This will help reduce a criminal’s ability to gain access to a user’s corporate email account and use it to gain access through non-corporate devices.
Here are some of the questions that must be answered yes in order to renew most cyber policies:
- Is multi-factor authentication required for all employees when accessing email through a website or cloud-based service?
- Is MFA required for all remote access to the network provided to employees, contractors and third-party service providers?
- In addition to remote access, is MFA required for access to third-party service providers?
As you can see, MFA is a really important tool for your bank to help prevent ransomware and other cyber crimes. Also, your cyber insurance renewal may depend on your implementation of MFA.
(2) Source: Areta Presentation “Ransomware Cards” 7-31-2020
(3) Source: Tin Zaw, “2017 Verizon Data Breach Investigations Report (DBIR) from the Perspective of Exterior Security Perimeter,” Verizon Digital Media Service, Last modified July 26, 2017, https://www.verizondigitalmedia.com/blog/2017/07/2017-verizon-data-breach-investigations-report/