On March 18, SFNet hosted a Webinar, “Cybersecurity: Evaluating and Mitigating Borrowers' Risk to Cyber Breaches”. It discussed current trends in cyber threats to commerce and the potential impact to borrowers, and the steps lenders and borrowers can take to guard against and mitigate and recovery from cyber-attacks or data breaches. Panelists focused on due diligence steps lenders should consider in assessing risk and the steps they may need in their lending agreements.

Tina Capobianco, senior vice president, J D Factors served as moderator. Panelists included Thomas J. DeMayo, principal, Cybersecurity and Privacy Advisory, PKF O'Connor Davies, LLP; Steven Teppler, of counsel, Mandelbaum Barrett P.C. and Louis Natale, chief credit officer, White Oak Commercial Finance. PFK Clear Thinking and White Oak Commercial Finance sponsored the webinar.

Steven Teppler started off discussing the additional considerations that need to be taken beyond firewall, spam filters, antivirus software and malware programs. These include managing employees, networks, systems, patch management, upgrades and having significant encryption in order to be least resistant to an attack or an exfiltration of data or funds. Consequently, these considerations play a large role in obtaining – meaning qualifying for –  cyber insurance or filing a claim honored by the insurer. Some of the biggest challenges from an insurance perspective relate to compliance and there are many areas to consider.

“Is there a rule or a regulation that you have to comply with The National Institute of Standards and Technology (NIST)?” Teppler asked. “Is there a law, such as the New York (23 NY-CRR Part 500), which is applicable to many financial institutions, or the New York Shield Act (Stop Hacking and Improve Electronic Data Security Act, §899-BB, which applies to any business storing or processing the personal information of a New York resident?

Do you have adequate encryption? What are your employees using to access your network? If it’s their own device, how do you manage the information on those devices without worrying whether or not there will be an exfiltration of confidential information, and then subject you to a breach notification law in any state in which somebody’s personal information has been made public?”

When reviewing checklists in cybersecurity insurance, many range anywhere from 100-200 questions long, and they are often intrusive. It’s important to read through the questions carefully to avoid coverage being denied or provide misleading or incorrect responses, which can then lead to a denial of coverage.

“There's much more to it than just obtaining insurance and the payment of the policy,” Teppler cautioned.

Ensuring Steps are Followed: A Lender’s Perspective

The due diligence checklist during underwriting and field exams will require a review and oversight of the existing insurance policy and if you’re in compliance with that policy, Natale explained.

“What possibly could be there that you’re not paying close enough attention to that a claim against cybersecurity would work against you?” he asked.

For the field examination team, Natale said the scope has expanded to not only having enough insurance in case inventory was destroyed or stolen, but also from a systematic perspective, such as a breakdown in the system due to malware or ransomware.

“Traditionally in the ABL and factoring sense, our borrowers utilize us for working capital needs,” Natale added. “So, when they're using us for capital and there's a systematic breakdown at our borrower level, the movement of cash, the receipt of cash, and the forwarding of cash could potentially be impacted. So, it's really important to look at that during the underwriting process,” he said.

Borrowers can also be required to provide an annual report and a yearly certification that it has performed a cybersecurity audit.

People, Process, Technology

PKF O’Connor Davies’ DeMayo said that his firm’s role is acting as an advisor, validator and evaluator, with a focus on three pillars within the cybersecurity ecosystem—people, process and technology.

1. People: What are your policies? How are you guiding and training employees? Do you have awareness training? Are you doing phishing exercises?

    

2. Process: How do you manage and respond to threats coming in? What is the process behind the technology?
   

    

3. Technology: Look at it from a layered perspective and have your perimeter and internal networking component safeguarded, whether it's servers or workstations. In a remote/hybrid environment, ask how that transcends from being protected at the perimeter to now being all over due to cloud applications and users connecting from different locations.

“Everything is based on risk,” DeMayo added. “Some borrowers may have heavier compliance obligations than others. Risk management and identification is going to be a key component. But, if you don't have the process on how you're going to manage and respond to things that are coming in, especially alerts, you’ll check the box, but your process is broken. It's about seeing where the breakdowns are, either in a silo, or across the three pillars. From the borrower’s perspective, we’ll look to see that a process is in place to effectively identify, understand and manage risk and if it’s being communicated to senior management and the board. If there isn’t an effective governance model to guide a cybersecurity strategy, it will fail over time.”

For those looking to implement a cybersecurity process, first conduct a risk assessment to see where the issues are in systems, processes and data repositories. A cybersecurity program can then be developed, matured, and tested, utilizing techniques such as penetration testing and social engineering exercises. The testing will help evaluate the effectiveness of the cybersecurity program and identify deviations that may occur over time.

For new employees, DeMayo strongly encouraged ongoing cybersecurity training, whether it's alerts, tips and tricks e-mails, scams of the week, or phishing exercises.

“Implementing a cyber security plan, and not continuously testing and updating it kind of defeats the purpose,” Capobianco summed up.

The Recovery Plan

In the event of a security breach, system logs and insurance policies are first reviewed as well as engaging with cyber forensics teams. Breach notification requirements, provisioning, international implications, timelines for reporting, and when and how to report to law enforcement are all examined.

“If you're dealing with large critical infrastructure, there's a bill about to be passed into law, which provides for a four-day reporting requirement for a cyber incident,” Teppler said. “There are many considerations to be made in a very short period of time that require an integrated approach, both from legal and cyber forensics, and the client itself.”

Recovery plans that are ransomware-resilient even down to the paths of file and data backups have grown in importance.

“There's a tradeoff between the safety of your backup and the timeliness of your backup,” Teppler said. “Right now, your best bet might be to have an onsite backup, a cloud backup, and maybe an offsite backup that isn't connected to the internet. You may only have your information from two or three days ago, or a week ago, but you won't lose your entire data set. These are things that you talk about when you do your risk assessment. If you don't conduct a risk assessment, you don't know what your risks are and you are absolutely not compliant with anything. Digital information is your most important asset. Without it, you can't operate. You must protect that asset just as you protect any other physical asset you might have. While not showing immediate return on investment, the point of having adequate security is to prevent the catastrophic loss, which happens later.”

Capobianco asked panelists on how to convey to borrowers to be sure that they’ve put the proper systems in place.

“When you work with your prospects and your existing borrowers, you create a level of awareness,” Natale explained. “What does it take to go through a cybersecurity breach? What is it going to cost for this level of insurance? What does it cost for me to comply?”

“I would imagine that many companies of certain sizes are going to say, ‘Yes, absolutely, insurance is a necessity.’ You buy insurance for just about everything. So, this is the new insurance on the list to buy,” Capobianco added.

SFNet members can access the recording of the webinar by clicking here.