AHT Insurance often gets questions about cyber security and cyber insurance policies. It is very confusing to figure out if your bank even needs a cyber policy separate from a general liability policy, for example. What really is the risk and do you need coverage for it?
Dennis Gustafson, a senior vice president at national brokerage firm AHT Insurance who specializes in financial institutions, described in a previous article what cyber policies cover. Here, he answers some of the most commonly asked questions about cyber insurance policies.
Aren’t cyber exposures covered by other insurance products such as general liability or fidelity bond?
Unfortunately there is very little, if any, coverage overlap between the cyber liability policies and these other insurance policies. The general liability policies almost always include some type of data or network exclusion. And when it comes to a fidelity bonds, a good principal to always consider is that fidelity bond policies react to theft of tangible property (money/securities), while the cyber liability policy reacts to theft of intangible property (social security or credit card numbers).
We use a third party to handle our website or credit card processing. Does this remove the need for cyber insurance?
While utilizing a third party for those activities definitely mediates the risk, don’t forget that the client often doesn’t know about the third party, and as such, will bring the lawsuit against the bank. The bank would be responsible to defend itself against the lawsuit and hope to then subrogate against the third party. Also, if a third party is hacked, your bank would be one of many clients impacted, all of whom could be trying to collect from the vendor. Having an insurance carrier step in from the moment of the breach removes all of that leg work and financial risk.
Is the purchase of a cyber liability policy a cumbersome process, especially for a first time purchase?
Yes. Keep in mind, the carrier is underwriting based on the quality of the entire network’s security. The applications can be lengthy and there are often additional questions asked after the underwriter reviews the application. Our advice is to coordinate a conference call with the chief security officer or information technology director and the insurance carrier. A 30-minute discussion can save hours of research.
All signs point to the fact that in the not-too-distant future, banks will take on more losses from cyber crimes than they will from physical robberies. It is the responsibility of the board and the executive team to put the right people, processes, technology and insurance in place to mitigate new risk exposures.