Cyber Security and Cyber Insurance; What You Don’t Know Will Hurt You
Written by: Gary M. Krasna, Esq., Owner, Gary M. Krasna, P.A.
In the current technological environment, cybercrime is in the news on a near daily basis. The factoring industry is certainly not exempt from this threat, with a tremendous amount of data and funds moving on a daily basis.
Each factoring firm should have a cybersecurity compliance and protection plan in place to protect their data, reputation, and economic health. Governmental regulations require the protection of sensitive client data, including the billions of client records stored on factor’s servers.
Key elements of cybersecurity compliance and protection plans include:
Risk Assessment and Management: Conducting regular risk assessments to identify and prioritize cyber risks, vulnerabilities, and threats, and implementing risk mitigation measures to address identified gaps and vulnerabilities.
Security Controls and Safeguards: Implementing technical, administrative, and physical security controls and safeguards to protect against unauthorized access, data breaches, and cyber threats, such as encryption, access controls, and intrusion detection systems.
Incident Response and Reporting: Developing incident response plans and procedures to detect, respond to, and recover from cyber incidents, and establishing protocols for reporting data breaches and security incidents to regulatory authorities, affected individuals, and other stakeholders.
Vendor Management: Assessing the cybersecurity posture of third-party vendors and service providers and implementing contractual provisions and security controls to mitigate risks associated with outsourcing and supply chain dependencies.
With so much of our data stored in digital form on hardware servers as well as on the cloud, protecting your data while assuring that your data is available to you and your team without risk is of paramount importance.
One of the major threats that factors face is transferring funds based upon fraudulent wire or ACH instructions. If you or any of your team members receive a request to change the remittance instructions for your client, the first thing to do is stop. Go into your file and get the authorized signer list from your original closing. Next, call the client at the number that you have for them and speak to one of the parties on that list, preferably someone who you have spoken to before. Ask them to verify the wire or ACH instructions to you. Have them provide the account number, name, ABA number and bank name. If you have a personal relationship with the person that you are speaking with, make sure to ask them questions that would assist you in verifying that they are who they claim to be. Keeping a log of verification calls is an excellent practice.
When you get an email requesting a change in wire instructions, review the email address of the sender and make sure there are no deviations or typos in the email address. Beware of typos in the text of the email itself, and beware of emails introducing a new CFO, comptroller or treasurer and providing new wire instructions. Remain diligent and always verify – it can potentially save you millions of dollars and legal liability.
If you discover that you or someone in your organization has sent a wire or ACH to the wrong account, call your bank immediately. Time is not on your side so try to have the wire or ACH recalled ASAP. There will be plenty of time to figure out what went wrong on your end but contact the bank first.
Next, contact the FBI, the Secret Service and other law enforcement agencies to alert them of the scheme. You should also contact your cyber insurance carrier to file a claim and have them arrange for their mitigation team to become immediately involved. The faster you react, the better your chances of recovering your money.
You can also mitigate your risk by sending money to clients via ACH rather than wire transfers. ACHs can be recalled for up to 5 days.
Factors should also consider purchasing cyber insurance. While your business package policy may have some minimal coverage for cyber losses, cyber insurance is specifically engineered to cover some of the losses that you may incur in a cybercrime incident.
Cyber insurance policies typically offer coverage for:
Data breach response and notification costs, including forensic investigations, legal expenses, and customer notification.
Regulatory fines and penalties imposed for violations of data protection and privacy laws.
Legal defense and litigation costs arising from lawsuits and legal claims related to cyber incidents.
Business interruption and loss of income resulting from a cyber incident that disrupts normal business operations.
Cyber extortion and ransom payments associated with ransomware attacks and other forms of cyber extortion.
Losses from wire or ACH fraud.
By transferring a portion of the financial risk associated with cyber incidents to insurers, cyber insurance can help factors to partially mitigate the financial impact of cyber attacks and enhance their resilience to cyber threats. Furthermore, some cyber insurance policies offer proactive risk management services, such as cybersecurity assessments, training, and incident response planning, to help factors improve their cybersecurity posture and reduce their exposure to cyber risks. Cyber insurance policies vary from carrier to carrier, so be sure to discuss the various options and coverages with your insurance broker. As a result of the increased number of wire and ACH fraud losses, coverage for such losses are typically capped at $250,000.
As with the other risks that factors face every day, diligence and education are the first line of defense. As your team members are trained to look for signs of fraud, their education and training need to be expanded to identify cyber risks. Criminals are getting more sophisticated every day, and factors need to always be vigilant to protect their greatest assets: data, money and reputation.
The author would like to recognize the assistance of Richard Simon, Esq., Harvey Topitz and Josh Berkowitz in this article. They, together with the author, presented a panel discussion on Cyber Security and Cyber Insurance at the recent IFA Conference in Miami Beach, Florida.
The views expressed in the Commercial Factor website are those of the authors and do not necessarily represent the views of, and should not be attributed to, the International Factoring Association.