Serving on a bank board comes with a lot of liability. State courts have decided that even independent, part-time directors can be guilty of gross negligence when their banks fail, for example. Directors often get sued by shareholders following an acquisition. And regulatory authorities can levy their own fines against individuals who serve on bank boards for the bank’s violations of regulatory rules. Bank Director magazine talked to Dennis Gustafson of AHT Insurance about the trends of particular interest to the board, such as directors and officers (D&O) liability insurance and cyber policies.
What trends are you seeing in claims?
We are seeing a shift. Last year at this time, the number one D&O claim was from the Federal Deposit Insurance Corp. (FDIC) relating to failed banks. A lot of these banks failed three to six years ago, so we are starting to see a decrease in those claims and M&A claims are on the rise as M&A activity heats up and as attorneys find opportunities to sue. If you are a public company getting acquired and have a market cap of greater than $100 million, there is a 97 percent chance of a lawsuit. The allegations are you didn’t do enough due diligence, you didn’t get a high enough price or you didn’t notify [shareholders] in an appropriate manner. Typically, the only impact of the lawsuit is an updated proxy statement but $500,000 to $1 million could be spent, mostly on legal fees. For those banks with more than $1 billion in assets, if there is any likelihood of the bank being acquired, the underwriter may require a separate, and higher, deductible for M&A claims.
Another shift in claims trends is in the cyber liability arena. It used to be the most frequent cyber claim was for notification costs after a breach of cybersecurity, because state laws require you to notify your customers of a breach. However, since more states are allowing for e-mail notification, the notification costs are decreasing and as such, so is the claim severity related to those notifications. In lieu of notification costs, we are seeing more and more claims relating to forensics, where the bank has to investigate the breach, why it happened and how, and sometimes hiring consultants to do these investigations can get very expensive.
What coverages are afforded in a typical cyber insurance policy?
In addition to coverage for notification costs and forensics, the typical cyber liability policy reacts to a lawsuit or demand from a customer or group of customers arising from a breach in network security. From there, coverages can differ based on the policy form and options offered. Some additional extensions of coverage include:
- when a hacker accesses your client information and requests a ‘consulting fee’ or they will release the information
- loss of revenue stemming from a network breach
- a breach of physical security (i.e. dumpster diving or a lost laptop)
What changes are you are seeing from underwriters?
In previous years, most underwriter questions related to asset or loan quality. Now, we are seeing more questions related to the Bank Secrecy Act, wire transfer policies, and anti-money laundering programs. Common questions include: For wire transfers, what policies are in place relating to call backs [to confirm the authenticity of the transfer]? What controls do you have in place to protect the bank against money laundering? Are there any new hires or new procedures relating to bank secrecy?
What question do you hear most from bank directors?
The question I get most is about the gap in coverage for civil money penalties. The civil money penalty is assessed by the FDIC against the bank or against individuals if the FDIC perceived that those individuals did not work in the best interest of the customer. The most common allegation is gross negligence and more often than not, it is related to a loan or to a bypass in procedures. The FDIC put out a letter last October explicitly clarifying that if bank directors or officers were assessed a civil money penalty, they cannot be covered by the bank’s insurance or be indemnified by the bank. With that said, it would not be out of compliance with the guidelines if the individual were to purchase a policy on his or her own dime just to cover civil money penalties. The average civil money penalty was $51,250 and the median was $25,000 since 2012. The FDIC assesses the vast majority of these penalties.
Why should directors be worried about civil money penalties?
Most people do not join a board of a community or regional bank for the little or no compensation they may earn. The last thing they want is to have any of their decisions or activities possibly cost them out of pocket.