3 Common Insurance Gaps at Banks

Written by

Banks must take risk management seriously – and part of managing risk is properly insuring property and casualty risk. Below are the three critical, yet commonly overlooked, areas that institutions should be aware of in addressing their property and casualty insurance program.

1. Think Deeply About the Bank’s Entire Risk Profile
Banks are a complicated risk entity without a cookie-cutter insurance blueprint. The bank business model makes banks a natural target for criminal acts, while daily operations leaves the bank exposed to a host of liability claims. We have also recently seen an increase in regulatory scrutiny related to banks, especially banks’ cyber exposure. Another factor working against the bank is the lack of set standards, guidance and/or oversight of their insurance program. These factors combined make banks particularly complicated to insure competently.

It is imperative that banks consider the entirety of their risks in ensuring they have appropriate coverage and limits. Risk factors to consider include ownership structure, recent financial performance, geographic location, loss history, makeup of the board and management, business model and growth projections. When these factors are considered together, a bank can more completely insure its risks as many of the core coverage lines (and policy forms) are unique only to commercial banks.

2. Cyber Exposure Needs to Be Addressed Under Three Separate Policies
When most banks hear cyber insurance, they think of their cyber liability policy. Most carriers consider this computer systems fraud and it is intended to respond to electronic claims when the bank’s funds are lost or stolen. A typical non-bank cyber liability policy will also include a crime component for electronic losses like fraudulent instruction and electronic funds transfer fraud.

However, there are additional coverages specifically available to banks for cyber loss. The second is the bank’s FI Bond. This is a broader policy and can carry much higher limits. Other coverages under the FI Bond include computer systems fraud such as hacker and virus destruction, as well as voice initiated transfer fraud. There is also an option to insure “social engineering” claims through the bond FI policy.

The third policy that may apply in a cyber loss is the bankers professional liability (BPL). If a bank does not carry social engineering on their bond and a customer’s account is hacked through its own system (opposed to the bank’s) the FI bond likely will not cover the customer’s stolen money. A BPL may provide coverage for depositor’s liability in this case.
Bank should make sure that all three of these policies have adequate limits, do not have overlapping coverage, and also do not leave any gaps in coverage.

3. The Areas of Greatest Exposure
Although cyber and D&O are often the first two areas of insurance a bank focuses, we believe more attention should be paid to the bankers professional liability policy. In the most basic sense, BPL covers the bank for losses arising from any service the bank provides to a customer, aside from lending activity. It’s often colloquially called Bankers E&O and is essentially broad form negligence coverage.
Conversely, lender liability is intended to cover that which BPL excludes: wrongful acts arising from a loan or lending activity. It is important that banks have lender liability included within the BPL.

There are two main reasons BPL/lender liability are important:
1. The most frequent claim for banks falls under the BPL/lender liability. In 2021, 51% of bank liability claims fell under BPL or lender liability. Cyber liability and D&O claims constituted 8% and 12% of claims, respectively.
2. Since they are usually insured under the same insuring agreement, they also usually share one limit. A borrower suit that turns into a paid claim would also erode the BPL limit.

Most peer group average BPL and lender liability limits are relatively low; it’s recommended that banks keep their limit at or slightly above average, at a minimum.

Given the complex factors above, how can you know if your bank is protected? Consider the following questions:

  • Are my financial institution and its officers protected from all the types of risk that could hurt us?
  • Do I have a partner I trust to complement my unique business and offer integrated solutions that offer the right amount of coverage?
  • How much time, productivity and fees does it cost the bank to have relationships with multiple brokers and advisors?

Insurance is complex. Threats to the security of your financial organization are ubiquitous. You should have an expert to help you navigate the process and build a tailored solution for your institution.

Cybersecurity: What You Need To Know

Written by


cybersecurity-10-29-18.pngAsk most top bankers one thing that keeps them up at night, and many of them will say cyber threats and risks to their company’s cybersecurity is chief among them.

Even the biggest banks wrestle with this important issue, and breaches can have serious financial, reputational and regulatory ramifications.

security-10-29-18-tb.pngBasic Cybersecurity Protections
For most companies, the question of a cyber-attack is when or how many, not if. There are basic protections to have in place to prepare and defend against the risk of an event, but with ongoing and persistent risk of threats, its best to have a strategy practice for any potential event.

data-10-29-18-tb.pngUse Data To Protect Data
To mitigate the risks of cyber events and threats, using data-based model can be effective. Data can quantify the risk to the institution and make regulatory reporting more efficient. It can also make the threat identification process more efficient by highlighting areas of risk more easily.

cyber-10-29-18-tb.pngWhat is “Threat Intelligence?”
One of the toughest challenges in cybersecurity is maintaining an edge against potential attackers who are continually making their attempts more sophisticated and difficult to defeat. One way many companies maintain that edge is to collect and use “threat intelligence,” which is information that can help prepare and preempt potential incoming cyberattacks. But, you have to use the intelligence effectively.

talent-10-29-18-tb.pngThe Cybersecurity Talent Threat
Research, including that conducted by Crowe and Bank Director, has indicated that bank executives and boards have concerns about the capability and readiness of the bank and its employees to identify, prevent and respond to cyberattacks. Regardless of asset size, there are ways to find and prepare your employees for real and perceived threats.

finances-10-29-18-tb.pngFinancial implications
Just one breach can cost a company millions of dollars and untold more in other areas, potentially wiping out any projected revenue gains for the quarter, or longer. Analyses conducted my major firms have estimated a wide range of potential per-record costs for data breaches, making it difficult to truly project what any single event could carry in terms of financial impact. But some have been estimated to cost tens of millions of dollars, making the threat highly worrisome.

Cybersecurity should be if it is not already among the pinnacle talking points and areas of focus for your board. Without that preparation and ongoing discussion, your institution can find itself at risk that can harm your customers and your institution. But remember there is plenty of opportunity to prepare, secure yourselves and respond in the event of a cyber event.