These breaches have led to increased regulation for financial institutions at both the federal and state level. In fact, it's safe to say that 2015 may very well be the year of the cyber rule. Among the most prominent developments is the Federal Financial Institutions Examination Council's announcement that it will update cybersecurity guidance in 2015. State initiatives are likely to follow. New York's Department of Financial Services, for example, has given notice that it too will implement more stringent examinations of cybersecurity governance.
Banks will face increased regulatory risk when it comes to complying with these new rules, as many experts have opined. However, few people have addressed a much larger issue: the increased risks resulting from a check-the-box compliance mentality.
Such risks occur when banks create governance that meets regulations without understanding the real intent of the guidance or effectively addressing the issues that the regulations are intended to tackle. This results in a bank that is compliant yet still vulnerable to massive liabilities.
Many banks have exposed themselves to check-the-box compliance risk in dealing with the requirement that they carry cyber liability insurance coverage. In todays world of cyber-crime, insurance coverage is an absolute necessity. Most banks already have it.
However, a narrow focus on compliance has led a lot of banks to purchase coverage that is wholly insufficient to address the gamut of actual liabilities.
For example, banks can be liable for corporate account takeovers when the account holder's network is compromised. In this type of breach, hackers focus their malware on the account holder, whose computer contains all of the information necessary to architect the fraud yet typically lacks banks' robust defenses. Hackers steal the customer's login credentials so they can hijack their online bank accounts and fraudulently wire large sums of money; all the while, the bank's network is left untouched.
Banks may wind up footing the bill for six- to seven-figure claims because their policies do not cover breaches outside the insured network. This is a major blind spot: a report from Aite Group estimates that corporate account takeover could lead global organizations to lose $722 million in 2015 alone.
This illustrates the danger that banks face if they merely purchase a compliant coverage and stop there. Conversely, banks that grasp the intent of guidance on cyber insurance, as well as the underlying issues, can indemnify themselves by working with their insurers to understand their policies. They can then make sure that any losses stemming from corporate account takeovers are covered either through the cyber liability policy or through additional policies such as electronic funds transfer coverage.
The lesson here is that regulations are global policies that require local action. It is impossible for any regulator to craft guidance that effectively addresses the problems that ail every bank in America. Thus regulations must be regarded as setting minimum standards, not final goals.
Checking the box will only go so far. To truly mitigate cyber-risk, banks must understand why regulators have issued guidance in the first place and implement layered approaches that go above and beyond basic rules.
Ryan Elmer is a senior consultant in the technology risk advisory practice at the accounting and consulting firm McGladrey LLP. Follow him on Twitter at @FUDInfoSec.