Risky Business

Banks are very likely these days to own cyber liability insurance policies, given the increase in sophisticated attacks and the public attention to the issue. The insurance itself is complex, so much so that Dennis Gustafson, principal and leader of the Financial Institutions Practice at AHT Insurance, likens it to a “Chinese menu of coverages.”

“Most of my banking clients have some form of liability coverage,” Gustafson says. “But it’s always a question of whether they have the right one.” Gustafson says that banks are able to choose policies that cover a range of potential cybercrimes. Coverage for any resulting regulatory claims-defense or fines-is relatively standard, he says.

But the insurance is hardly a one-size-fits-all solution. Those looking for coverage can find it’s still a buyer’s market, says Judy Selby, managing director in BDO Consulting’s Technology Advisory Services practice. With so many options available, a bank may need help navigating them, avoiding restrictive limitations and building up what Selby calls a tower of protection. “One of the challenges companies are having is getting enough coverage,” Selby says.

CHANGING THREATS

Getting insured for cybercrimes also can be more challenging than other types of theft insurance due to the changing threat landscape, Selby says. “Technology is constantly evolving, and the ingenuity of the hackers is evolving as well.”
Gustafson looks at two areas in which insurers are currently paying the most claims: the cost of notification and forensics. “Most states dictate you have to notify all of your customers, and there is a cost associated with that,” he says. “Likewise, if it is a significant hack, you want the forensic experts to come in to determine what happened and how.”

But as with any cafeteria-style insurance, “not every policy covers that, and not every bank chooses it,” Gustafson says.

“Social engineering” is also growing in its creativity. This is when a bank employee is tricked into releasing some bank asset-including money-to a criminal. The criminal may claim to be a bank executive, an unpaid vendor or a customer asking for money. “The key to coverage is the bank must have procedures and follow them,” Gustafson said. “When an underwriter prices this type of coverage, they have a fairly lengthy questionnaire to understand the controls in place. If the bank follows procedures, there would be insurance coverage to indemnify them.”

But here’s where cyber policy gets tricky: If a bank employee releases a client list with personal information, the cyber policy would be used to pay the costs related to notification. But if the employee transfers $100,000 to someone in Eastern Europe, the bank would look to its fidelity bond for reimbursement of that loss. “There are exceptions,” Gustafson says. “But cyber liability is mostly for non-tangible property.”

Phishing schemes-where hackers contact a bank employee or customer to get personal information, such as an account login-also likely will not generate a claim on its own, Gustafson says. “But it could create a breach in which there is a need to notify a customer.”

Selby, an attorney, notes that some cases are in the courts that may shed light on this gray area of cybercrimes, as courts attempt to define whether a hacker accessing a computer to essentially “rob” a bank is a computer issue or a robbery.

Regardless, banks should check their fidelity bonds to ensure that hacks or social engineering are covered when money is lost, both Selby and Gustafson say.

A cyber policy could cover any business interruptions, an area that Gustafson called “high severity, low frequency.” He noted that a bank-with other ways of interacting with customers-won’t be as negatively impacted if its website is taken down by hackers as some other kinds of companies. “They’re not like Amazon or eBay, where a website outage can cost millions an hour.”

Ransomware is at the opposite end of the spectrum. This is when a criminal places malware into the computer system and holds the business operations hostage until a ransom is paid. “They charge a relatively small amount,” Gustafson says. “Once they get paid, they release it. I’m willing to bet that for every one we hear about, there are 10 that are not disclosed.” Coverage for this is rare, he says, but available. It can cover the cost of the extortion itself and/or the cost to hire experts to remove the malware without paying the ransom. “If you’re concerned about this, you need to ask for it,” Gustafson says. “It tends not to be very expensive.”

VENDOR RESPONSIBILITY

A vendor can be equally vulnerable to a cyber incident, and banks typically rely on hundreds if not thousands of vendors.

“You can delegate the work, but you can’t delegate the responsibility,” Selby says.

Gustafson says banks can contractually require the vendor to hold a cyber policy in the contract. But banks should

“make sure the bank is covered and that the limits and sublimits are adequate,” he says. “You want to make sure the bank is listed as a payee or additionally insured so they’ll have access to the [payout on the] claim.”

ADDITIONAL CONSIDERATIONS

Today’s cyber liability policies are complex, confusing and can be contradictory. Gustafson sees many banks taking risks with sublimits that are too low. For instance, a bank may have $3 million in liability insurance, but a cap of $250,000 for notification efforts. “You want to have higher limits in the areas where the claims are being paid,” he says.

In addition to coverage for data breaches, Kevin Violette, senior vice president of RT Pro Exec, suggests banks look at exposure for any intellectual property risks, such as material published on the website, as well as anything defamatory or libelous. Gustafson agreed. “The cyber policy is what is used to protect from claims of libel, slander, copyright or trademark infringement,” he says. “If you misquote a rate on your website and a person loses money, it would be covered by the media portion of your cyber liability policy, if you have chosen that coverage.”

These days, Selby sees very little pushback from insurers in paying claims. That tends to occur “if [the companies] violate a condition of coverage,” she says. Most policies require action on the part of the insured-and many require consent before spending to remedy a cyber issue, she says.

So banks should not purchase insurance and set it on a shelf. In addition to the annual renewal, Selby recommends banks keep up with what’s required to remain covered. You may need to notify the insurer of changes in your business. And as cybercriminals change their tactics, it makes sense to ensure that coverage would apply.

Ultimately, any changes in the cyber liability insurance market will be driven by lawsuits and claims, Gustafson believes. He likens it to sexual harassment and discrimination insurance-once thought unnecessary and now standard practice. “The number of claims skyrocketed and that became a necessary form of risk management.”

Cyber liability insurance certainly seems to follow that same path. But like other types of insurance, it may bring a little peace of mind-but will be most comforting if it’s never used.

No Excuses: Cyber Liability Insurance Misconceptions

While many banks have some form of cyber liability insurance, those that don’t might be relying on a few faulty assumptions:

A vendor has adequate coverage. Granted that might “mitigate some risk,” says Dennis Gustafson, principal and leader of the Financial Institutions Practice at AHT Insurance. “But if the third party gets hacked, get in line.” The bank is likely not the only customer affected. Is the vendor’s coverage limit high enough to make whole potentially hundreds of banks?

It’s already covered by a general liability and/or fidelity bond. The general liability coverage probably includes a cyber exclusion. The fidelity bond only pays out if money is stolen, such as in a robbery or by employee dishonesty.

The bank is small-and cybercriminals don’t know it exists. While a small community bank may not have the same risks as a large national or international bank, smaller banks may be more vulnerable because they have fewer defenses.