Is Cybersecurity Insurance A Good Idea?

Posted by Eric English • Feb. 3, 2015 • 0 Comments

cybersecurity_insuranceOne of the biggest questions we get asked is whether or not cyber insurance is a good idea or if it's worth the cost. There are numerous breaches in the news lately, like Home Depot, Target, or the latest with Sony, that point to a good reason for getting cyber insurance.

Will cyber insurance help you repair your reputation after a breach? Absolutely not. It will help with the financial costs associated with the hack or compromise. The cost for hiring lawyers, hiring computer forensics experts, and potentially replacing compromised hardware are just some of the costs associated with a breach. Target has spent $146 million dollars so far since their security breach. Imagine how much Sony will spend because of their breach. They had to cancel one of their movies from being released, pay for security experts to track down how the breach occurred, try to repair their reputation, and try to protect the information of the people they employ.

Cyber insurance is a good idea for most businesses but one thing most people don't realize is that there are exclusions in insurance policies that can leave you up a creek. The majority of cyber insurance does not cover 3rd party vendors which the majority of all businesses use now days. With more and more businesses relying on the cloud for critical business functions, cyber insurance will not cover any stolen or lost data while in the hands of a 3rd party. This is the main area where cyber insurance can fall short.

Knowing the shortcomings of cyber insurance, it's imperative to know what data your vendor has and how critical that data is. We rely on vendors to provide self assessments regarding their security posture and as part of a good vendor management program we review SSAE16, SOC reports, and PCI compliance reports but these are only a start. Just because a company is PCI compliant doesn't mean they are the most secure they can be. Businesses should be diligent in their vendor selection process and perform security testing on that vendor and their software at least annually. The vendor is then responsible for patching any vulnerabilities found during testing.

So, is cyber insurance a good idea? Overall yes, however, there are exclusions in policies to be aware of. With 3rd party vendors, additional security testing should be performed on those vendors whenever possible. Contact us online to learn more about possible holes in your security and how we can help.

Topics: cybersecurity

Hire a CISO!

Posted by Heath • Jan. 27, 2015 • 0 Comments

I'm shocked that Target and JPMC did not have a Chief Information Security Officer on staff during their breaches.  I do not believe that these individuals would have prevented a breach altogether, but at least their would've been a prior appointed individual to take control of the situation and already have a rapport with executives to take necessary incident response actions. Many of our VISO clients' Executives and even Board members have a relationship with our appointed VISO Garland Heart staffers.  We preach to our executives it isn't IF you get breached, but WHEN.  The goal is to minimize exposure in a breach scenario as well as respond properly.  
A CISO would optimally see an attack coming from different avenues and either enhance controls or put together more defined incident response strategies.  For example in the Sony compromise, it was obvious that the entertainment sector was gaining more attention from malicious entities. I'd like to think a CISO would have been empowered to employ additional resources around securing these breached assets.  Especially when we investigate the amount of lost revenue Sony is expecting.  
Of course a CISO isn't just responsible for their Enterprises' security anymore.  Target learned the hard way that networks can be breached from the most obscure of vendors.  So CISO's need to implement Vendor Management Programs, Training and especially Incident/Business Continuity plans.  The Sony breach resulted in not only lost revenue from entertainment assets being leaked, but also a Denial of Service attack that rendered users down for at least a couple of days. We'd love to hear your thoughts -- feel free to contact us online with questions about anticipating attacks. 

Staying Secure & Safe This Holiday Season

Posted by Eric English • Dec. 18, 2014 • 0 Comments

imagesAs most of us are frantically running around to find the last minute gifts for family and friends, we seldom think about security. Most of us trust the places we shop and assume they have all the latest and greatest sure payment methods. Here are a few ways to stay safe when shopping online and in store this holiday season.

1. Cash? What's that?

Most people don't use cash for anything anymore but it is really the most secure payment method if you think about it. Yes, you still have to go to an ATM or your bank and get the cash but at least you won't be giving your credit card info to any retailers and running it through any POS systems. If you're going to get cash, go to your bank, go inside or drive through, and fill out the withdraw slip to get your cash. This minimizes the risk of an ATM skimmer installed on an ATM getting your info.

2. Use Credit Cards Not Debit Cards

Credit cards are insured against theft and are not tied to your bank account. If you've ever had your bank account compromised, you understand how annoying it is trying to get funds back into your bank account. This process can take several days if not weeks depending on the bank. If the credit card is compromised you're not responsible for the charges and they're not taking the money directly out of your bank account. This means you can live your life and not have to wait for the funds to be put back into your account.

3. Don't Use The Same Password

In a recent study conducted by Javelin Strategy & Research, people that have 20+ online accounts are more likely to reuse passwords which makes it 37% more likely that your accounts will be compromised. 37% more likely!!! Yikes! So how the heck do you remember all of those passwords? Use a password manager to help you stay safe. Some examples of passwords managers are LastPass and DashLane. Just remember when you use a password manager you should use a stronger than usual password for your password manager account.

While we might be free of passwords in the future, they are here to stay for the time being. Stay safe this holiday season and use precautions when shopping online or in store.

Happy Holidays!


Topics: Virtual Compliance, credit card security, Info Security, Strategic Consulting, Blog, password security

Understanding EMV Technology

Posted by Gaye Connell • Nov. 20, 2014 • 0 Comments




The payment's industry is migrating from magnetic stripe bank cards to EMV chip cards to improve the security of bank card transactions. Watch this 30 min. webinar for a good overview of EMV technology to find the answer to these questions:

  • How is EMV going to mitigate fraud?
  • Why is now the right time?
  • What are the timeframes for implementation?
  • Is EMV the answer for all fraud?


Topics: ATM skimming, EMV, Info Security, chip card, Blog, Webinars

Banking Legalized Marijuana

Posted by Gaye Connell • Oct. 17, 2014 • 0 Comments



This has to be the most intriguing topic that we have ever done in the Garland Heart monthly webinar series. We even had one attendee ask if we were going to serve munchies! Seriously, this is a topic that we all need to begin to understand in the financial industry as the laws are ever changing. Our guest speaker, Ben Knieff, discussed the regulatory risks of providing services to these legalized marijuana businesses and how to decide whether to service these businesses....or not.

Topics: Virtual Compliance, Info Security, Blog, Webinars

Welcome Hannah to Garland Heart

Posted by Nik • Oct. 8, 2014 • 0 Comments


Garland Heart is continuing to expand it's sales presence nationally and Hannah Day is going to help us do that! Hannah joined Garland Heart in a business development role and will be based in our Colorado office location. She has been in the financial industry for the last 10 years working in electronic banking services, product management, strategic planning and sales strategy. In her free time you can catch her fly fishing/hiking in the Rocky Mountains, singing and playing guitar, and spending time with her friends and loved ones. Please help us give a warm welcome for Hannah to Garland Heart! Her email is if you want to drop her a note to say Hi.

Topics: Impacting Lives, Blog

October is CyberSecurity Awareness Month!

Posted by Heath • Sep. 25, 2014 • 0 Comments

Often, we recommend publishing links on bank websites so customers (and employees) can read up on how to protect their information and identity online. Independent Bankers Association of Texas (IBAT), has posted a convenient list of links here:

I also couldn't agree more with Chris's comment about how bad guys are good at what they do and only getting better. October will be a good as time as any to at least do some reminder emails or even some full on training for staff on CyberSecurity, especially if you haven't done any this year.

Topics: Info Security, Blog, cybersecurity

Maximizing your Enterprise Business Impact Analysis

Posted by Gaye Connell • Sep. 12, 2014 • 0 Comments


The most extensive undertaking of any Enterprise environment is the creation of the Business Continuity Plan and the Recovery Procedures from a disaster. In order to effectively create an accurate continuity plan of the organization as a whole and a recovery process that mitigates the cost to the organization, customer impact, reputation, and operational impact, the first turnstile is the Business Impact Analysis. This webinar is a high level overview in which Wade Clem, Compliance Specialist at Garland Heart, shared some ways to effectively gather the information needed to produce the Enterprise Business Impact Analysis.

Copy of Slides - Maximizing Business Impact Analysis

Topics: Virtual Compliance, Info Security, Blog, Webinars

Cybersecurity in US Banks

Posted by Eric English • Sep. 2, 2014 • 0 Comments

In recent news, several US banks have been the target of cyberattacks with JP Morgan Chase being named as one of the banks that were hacked. There are several other banks that have yet to be named but will certainly be revealed in the weeks to come. The scope of the information stolen is yet to be determined as forensic efforts are still in process and an ongoing FBI and Secret Service investigation as well.

As reported by USA Today here, the initial reports are indicating that the attacks are "not officially the work of the Russian state, they are being done with its blessing". These attacks are part of a larger attack related to nationalist cybercrime campaigns against financial institutions that includes German and Swiss banks as well as European Central Bank.

CNET news has also reported on these attacks here, which details further how the attacks were carried out and what information the attackers were after. Typically hackers go after usernames and passwords so they can login to victim's accounts and transfer money or sell the information on the black market. These attacks were different. Reports are that they were not only after usernames and passwords but that they were also after bank records. According to CNET the attackers modified and deleted some of the banks records yet the motive for these actions is unknown.

It appears the hackers were able to gain access to JP Morgan Chase's systems by sending phishing emails to employees of the bank. The phishing emails contained what appeared to be an encrypted email message from a legitimate source.


The hackers were able to spoof the template of Chase's encrypted email system and use that against the company. The fake email contained a link to custom written malicious software that was undetectable by typical virus detection software. This type of phishing is a common theme among hackers in attempts to gain access to internal systems, and in this instance it was successful.

Cybersecurity is a constant threat for banks and other financial institutions and the attacks are ever evolving and becoming more sophisticated as new technologies are developed. To avoid being a victim to these types of attacks it is imperative to train and educate your employees and test them when possible. Training and education are the best ways to help thwart such attacks but it is also necessary to continuously keep up with the latest threats and incorporate that into training. Best practice for emails: If you're not expecting a link or attachment from someone, call them and ask to make sure they sent it.


Topics: hackers, Info Security, phishing, Blog, cybersecurity, Cyber attack

Reminder to Change Passwords

Posted by Heath • Aug. 7, 2014 • 0 Comments


This article doesn't have much in the manner of specifics, however I have no doubt that out of the hundreds of billions of passwords for web applications, at least 1 Billion have been stolen.

NY Times article

Anywho, still a good reminder to change those passwords regularly, especially for your 'higher risk' sites such as online banking, investments, social media, etc.

Want some good password creation tips, check out this link:

5 Steps to a Good Password

Topics: Virtual Compliance, reminder, Info Security, Strategic Consulting, Blog, Security, password

Subscribe to our Newsletter to receive Regulatory News and Company Updates: