The Importance of Getting Cyber Insurance Right

The constant risk of cyberattacks has been top of mind for banks this week: A third-party vendor to hundreds of banks and other lenders was hacked earlier this month. SitusAMC, which helps originate real estate loans, admitted that it suffered a cyber incident on Nov. 12, according to The New York Times. The industry is assessing the fallout from that breach, but the event emphasizes the importance of cybersecurity and the risks of a failure.

To help offset the costs of a potential breach, most banks have some sort of cyber insurance. Globally, about half of financial services firms that responded to the British software and hardware security company Sophos in 2024 said they had standalone cyber insurance while another 37% said they have that type of coverage as part of their wider business insurance package.

Although not all policies would cover a scenario like the Situs incident, cyber insurance could help lower expenses if a bank’s own defenses are breached. Recovering from an incident, such as a ransomware attack, can cost millions of dollars, according to Sophos.

“You have a specific defined risk you are transferring to a third party, and you are transferring a specific type of financial impact to that third party,” says Ken Achenbach, a partner at the law firm Bryan Cave Leighton Paisner. “It isn’t a substitute for other protective measures and won’t make you whole for the inconvenience if something happens to your bank. But it can provide some financial help.”

It’s critical for bank executives and directors to understand what is covered in their specific policy and other critical terms. “Cyber insurance is consistently evolving, and policies can vary widely,” says Jessica Slater, vice president of cyber for Brown & Brown, an insurance and risk management firm.

In general, a bank should have cyber insurance that has first-party and third-party coverage, Slater says. First-party coverage generally covers the expenses the bank incurs from a breach of its own network. For instance, this policy could cover losses if the bank’s business is interrupted by an attack. It could also cover paying for items such as credit monitoring if customer information is accessed, crisis management if the bank needs assistance or data restoration. A first-party policy could also cover ransomware payments if those are paid.

Third-party coverage would cover the costs of claims that others, such as vendors or customers, make related to a breach happening at the bank. For instance, this could cover some of the costs the bank incurs to defend against a lawsuit brought by a vendor or customers. It could also pay for any regulatory fines or penalties that are levied against the bank, Slater says.

In general, a bank’s cyber insurance is meant to cover losses tied to breaches of the bank’s systems, Achenbach says. However, some cyber insurance may kick in if a vendor’s involvement affects the bank’s systems or data, though other policy forms may exclude coverage in these situations. Because of that, it is important for the bank to have protective terms in the bank’s contract with any vendors, such as information security covenants and requirements that the third party carry its own adequate insurance, Achenbach says.

Good cyber insurance is likely to pay for hiring an attorney or a forensics team to investigate what happened with a breach and why, says Scott Godes, a partner at the law firm Barnes & Thornburg. However, executives should not assume anything is covered in their policy. He notes that unlike other types of insurance, cyber is not nearly as standardized. “If you have seen one cyber insurance policy, you have seen one cyber insurance policy,” Godes jokes. “There continues to be a variety of terms and conditions.”

It’s difficult to generalize how much cyber insurance could cost a bank each year, Achenbach says. “It isn’t cheap compared to other coverage types — and has been getting more expensive — but exactly what a given policy could cost in any given case is based on a number of factors specific to that placement and so isn’t generalizable,” he adds.

Slater says that premiums jumped starting in 2021 due to an uptick in ransomware attacks, leading to volatility in the cyber insurance market. In 2024, the losses experienced by insurers leveled off, and the market stabilized. Since then, carriers have been offering more competitive rates with premiums trending down, she adds.

The cost of a bank’s cyber policy is usually influenced by several factors, Slater says. The first is typically the institution’s revenue, given that the insurer could be on the hook for at least partly making the bank whole if its operations are interrupted and its bottom line is affected. It also depends on the number of records with personally identifiable information the bank holds. That gives the carrier an idea of how much information could potentially be vulnerable if something happens. Finally, the insurer will also consider how mature the bank’s cybersecurity controls are and whether the institution has had a breach in the past.

Normally someone in the C-suite, such as a chief risk officer or a high-level finance executive, would handle finding and vetting different cyber insurance options. However, a cybersecurity or information technology executive will likely be involved in the actual application. The applications can include various technical questions about the institution’s cyber defenses, and it’s important that the bank provides accurate information. If the bank is misleading or provides information that turns out to be false, the carrier could deny a claim later, says Steve Sanders, chief risk officer and chief information security officer at CSI, a provider of banking and risk management software.

Still, there are gaps. Only 1% of respondents said that their insurer funded 100% of the costs they incurred from a cyber event, according to the Sophos whitepaper. This research found that insurers typically paid 63% of the total costs related to a cyber event. The most common reason for a claim not being paid in full was that the costs exceeded the policy limit. Other reasons included that the costs were incurred without permission of the insurer or that the costs weren’t covered by the policy.

Fourteen percent of cyber insurance claims weren’t paid in full because the business did not have the required defenses, such as patching vulnerabilities, according to the Sophos report. “People love telling insurance companies whatever gets them good rates,” Sanders adds.

Board members should ask for a clear explanation of their bank’s coverage and the limits of the policy, Sanders says. He suggests that directors ask their chief information security officer to use potentially real scenarios and their bank’s own data to help them understand what the actual cost of a data breach at the bank could look like and cost. This can be helpful given that each bank’s situation will be unique. “Banks don’t fit the models because they can differ widely in their business models and their risk,” Sanders adds.

Slater says the board should focus on a few main questions when reviewing its cyber insurance: What does your overall risk profile look like and how do your insurance limits compare to that? How are we demonstrating our cyber readiness? What does the bank do if a cyber incident does occur? And finally, how much does the bank rely on outside providers, and how does the bank respond if one of these third parties experiences a cyber incident?

Slater also notes that many insurance providers offer cyber readiness services, such as tabletop exercises, phishing training and incident response plan reviews, on a complimentary basis. Or sometimes if the bank uses these types of services from a preferred vendor, the insurer will give the bank a better premium.

“The board’s role is one of oversight and managing sound policy and business decisions,” Achenbach says. “You will see different boards getting involved in different ways with cyber insurance. But in general, they need to make sure that the bank has policies and procedures that are designed to ensure relevant employees are all aware of the cyber risks and appropriate steps are taken to mitigate those risks.”