|
ARE YOU AT EASE WITH YOUR By Eric Veum, Risk Management Consultant, T.E. Brennan
Company INTRODUCTION You have heard the horror stories of
hackers breaking into a company’s computer system, stealing customers’ credit
card numbers and holding them for ransom. Denial of service attacks have been
launched against companies and websites. A number of executives and business owners
are mistakenly under the impression that this will never happen to them.
However, protecting your computer system from such attacks could be the
difference between opening your e-commerce doors tomorrow morning and posting
the "closed" sign on your website. So here is the $64,000 question: what have
you done to protect your credit union from the financial consequences of
these attacks? This article discusses some of the exposures credit unions
face as a result of on-line services provided to members, potential claim
situations facing credit unions, and some tools that can be used to handle
the exposure. EXPOSURES ABOUND Many individuals become credit union
members because of the quantity and accessibility of the services offered.
For example, they can apply for credit cards, home equity or vehicle loans,
pay bills, and access account balances – all online. All of these services –
and this list is not exhaustive – present e-commerce exposures to credit
unions. With this in mind, credit unions are
exposed to a number of potential e-commerce claims. For example, credit
unions can suffer from:
As noted below, insurance is often
available to fund many of these losses. But who can put a price on the loss
of goodwill, which isn’t insurable? NOW WHAT? There are a number of tools and procedures
credit unions can take to protect its systems from attacks and unauthorized
disclosures, and the resulting financial consequences. These include internal
and external computer system controls, contractual transfer and purchasing
insurance. Discussing how to protect a computer
system from a security perspective is outside the scope of this article … and
my IT prowess. Having said that, below are suggestions which can assist
credit unions with protecting their members’ information and assets, and your
bottom line. Do you use an outside vendor? If you use an outside vendor to assist with the credit union’s
computer system (particularly its security) then specific attention should be
paid to the contract between you and the vendor. Before it is signed, be sure
that the remedies available under the contract are equitable from your
standpoint, and truly acknowledge the severity of a breach of service or
security. The contracts we have reviewed often limit the vendor’s liability
to essentially nothing, or only to the amount of the contract. The last thing
you want to discover at the time of loss is that your credit union’s recourse
for a $250,000 claim is limited to the contract amount of $30,000, even
though the loss is due to the vendor’s negligence. Therefore, we
recommend that all contracts go through a systematic review process, with
particular attention paid to the liability, indemnification and other risk
management implications. Worms on the inside In addition to securing your system from outside attacks, consider the
internal disruptions that are caused by the employees’ actions. Credit union
employee handbooks should specifically address employees’ use of the internet,
email and external media (CDs and floppy disks). A number of companies have
suffered disruptions and losses due to the actions of employees. For example,
an employee of a large financial institution obtained unauthorized access to
account and credit card information for 68 of the entity’s accounts resulting
in fraudulent purchases of approximately $100,000. Insurance – A Financial Safety Net -
Maybe Let’s face it: bad things happen to good
people. If the pre-loss efforts described above fail, then insurance may be
available to fund the financial losses associated with computer system
disruptions. However, we strongly advocate that insurance be used in
conjunction with internal and external system controls and contractual
transfer. One must pay extremely close attention
(read: READ YOUR POLIICIES) to insurance policies before relying on them to
respond to e-commerce claims. Off-the-shelf property, general liability,
credit union bonds and directors & officers’ liability policies provide
limited coverage for claims noted in this article. For example, a basic
property policy likely will not respond to the loss of information due to a
virus because the computer system is not physically damaged. Therefore, it is
recommended that your e-commerce exposures be thoroughly reviewed with your
risk management and insurance counselor to determine the types of coverages
needed to protect your credit union from losses. Specific coverages to look
for include computer system fraud, extortion, virus attacks, enhanced liability
coverage, business income, and public relations expenses. Some insurers have
even developed specific programs to cover e-commerce risks. CONCLUSION E-commerce services are here to stay, but
the risks associated with them can be properly - and collectively - managed
through the use of pre and post loss tools. These include system security
procedures, contractual transfer and insurance coverage. The time you take
today to recognize and address the consequences of these losses will save you
hours of anguish and frustration when they do happen. Eric Veum is a risk management
consultant at T.E. Brennan Company [www.tebrennan.com], a fee-for-service
consulting firm, with offices in Milwaukee, WI. |
|
|