Some banks have relied on their existing insurance policies to protect them from today’s security threats. But as the amount of consumer and employee data that community banks amass grows, financial institutions should consider dedicated cyber policies to help them withstand a data breach or hack.
By Katie Kuehner-Hebert
When a bank suffers a cyberattack and both customer data and money are stolen, multiple types of insurance can kick in. However, the jury is still out on the amount of financial losses that can be covered, or, in cases like theft from social engineering, if the loss can be covered at all.
Cyber insurance is intended to cover the cost of incurring liability from the theft of customer and/or employee data. Policies typically pay banks to investigate breaches and notify people if their information was exposed or stolen, and many policies will also cover the bank’s defense costs of any legal actions that stem from that.
On the other hand, crime insurance, in the form of a financial institutions bond, typically covers loss of funds from cyberattacks, though there are disputes about exactly how much, if any, this should be depending on the type of fraud.
Losses the National Bank of Blacksbury suffered after fraudsters obtained customer data
Take the case of The National Bank of Blacksburg v. Everest National Insurance Co. The $1.2 billion-asset bank in Blacksburg, Va., suffered nearly $2.5 million in losses when fraudsters obtained customer information by hacking into its computer system on two separate occasions. This enabled the criminals to illegally withdraw customer money, post fake deposits and remove nefarious transactions from the targeted accounts, according to the bank. However, the bank says that no customer plastic card or debit card information was stolen.
But after the National Bank of Blacksburg filed a claim, the insurer denied it under the computer and electronic (C&E) crime rider of the bank’s financial institution (FI) bond. Everest National Insurance Co. said that the rider excludes coverage for “loss resulting directly or indirectly from the use, or purported use, of credit, debit, charge, access, convenience or other cards … in obtaining credit or funds” or “loss involving automated mechanical devices.” Instead, the insurer claims that the losses fall under the bank’s FI bond debit card rider, which has a much lower $50,000 single-loss limit than the C&E crime rider’s $8 million single-loss limit.
Action points for community banks
The court had not determined if the insurer’s interpretation was correct, and the case reached a settlement and was dismissed earlier this year.
According to a November 2018 report by New York City-based Marsh brokers Thomas Orrico, the financial institutions Center of Excellence practice leader within Marsh’s FINPRO practice; and Ben Zviti, a senior vice president and financial institutions cyber/crime leader, “Financial institutions with plastic card and ATM exposure should consider seeking to amend the plastic card and ATM exclusions in those policies during upcoming renewals.” “The simplest remedy to the FI bond may be to add carve-backs to both exclusions for losses covered under the computer system fraud insuring agreement,” the report continued.
Community banks should consult with their brokers, who will have expertise about the suite of coverages pertaining to cyberattacks, to ensure they have appropriate coverage to mitigate those risks, Zviti said in an interview. “It is worthwhile to take a deep dive into policies with insurance professionals to make sure what is covered and what is not, in order to identify gaps,” he adds.
Before and during such meetings with their brokers, Zviti advises community bankers to think about the different scenarios “that keep them up at night” and then map those things out to match the particular risks with particular policies.
Before every annual renewal, the Marsh brokers typically conduct strategy meetings with clients, informing them about the latest fraud trends, how insurers are responding and then how clients could be exposed to each risk, Zviti says. That forms a strategy for renewal, identifying new coverages that could apply to specific client needs.
Zviti says it’s a “thoughtful, deliberate process” that requires a meeting with key individuals from risk management at the client’s organization, and sometimes from finance and IT. “It’s a worthwhile process to talk about the different risks, and then find the best solutions for the client,” he says.
Minding the social engineering gap
Another challenge for banks is recovering a loss of funds from social engineering fraud, as currently there are gaps in coverage for such claims.
Social engineering is a type of fraud in which the criminal impersonates a customer and then either emails or calls a bank employee requesting that funds be transferred to another account. Because the bank employee was duped and voluntarily complied with the request, some insurers sometimes deny the claim for resulting loss of funds under their crime policy because there was a “voluntary transfer.”
If properly endorsed with a social engineering endorsement, however, crime policies can cover the stolen funds, says John Farley, the managing director of cyber liability practice at Arthur J. Gallagher in New York City. But without that endorsement on the crime policy, there would likely not be coverage for the lost funds. “But now these types of claims are happening every single day,” Farley says, “so some carriers are now including loss of funds from social engineering in their cyber policies.”
Which vendors are included?
Cyber insurance policies across the industry typically pay for preapproved vendors to handle the aftermath of a cyberattack after the carrier is first notified, Farley says.
Vendors may include an outside privacy attorney to help draft customer breach notification letters if necessary, or an IT forensics investigation firm to track a hacker’s footprints to determine how they got into the network, what data was stolen and whether the hacker is still in the network. Other vendors covered by a cyber insurance policy include companies that can handle large volumes of customer calls and notification mailings if a bank doesn’t have that capability, as well as vendors that can provide crisis management services if a bank doesn’t have the public relations specialists to handle such events.
Staff (specifically risk management and IT) should familiarize themselves ahead of time with the preapproved breach response vendors provided to policyholders to expedite the bank’s incident response, says Emily Lowe, vice president in Willis Towers Watson’s Boston office.
“Many vendors also offer pre-breach services, such as penetration and phishing testing, and consulting services to develop incident response plans,” she says. “If your bank is already engaged with a vendor, let your broker know so that the carrier will approve them, though that does depend on the policy.”
“Both cyber and crime policies play a role in robust risk management programs for community banks.”
—Emily Lowe, Willis Towers Watson
The biggest thing to keep in mind, says Lowe, is that cyber insurance deals with the confidentiality, integrity and accessibility of data and does not cover the value of money. Crime insurance deals with loss of money, whatever form that might take, including securities. “When you think about cyber insurance, you’re looking to cover anything that could compromise the confidentiality, integrity and accessibility of your data,” Lowe says.
A typical cyber insurance policy is intended to cover liability for compromising any personally identifiable information and any corporate confidential information under a bank’s control, she says. These policies also cover the liability of managing a computer network, as well as managing paper records that a bank may still process. Such policies cover employees’ personal data, including sensitive information from background checks when hiring them.
Lowe says, “Both cyber and crime policies play a role in robust risk management programs for community banks.”
Fast-tracking cyber policy underwriting
Thanks to the latest advancements in technology, the underwriting process for cyber insurance policies has vastly improved, says John Farley, managing director of cyber liability practice at Arthur J. Gallagher in New York City.
“In the past, an insurance company would send a company wanting a cyber policy a questionnaire of 50 questions that were difficult to answer, and the company would hope they were giving the correct answers to get the policy,” he says. “It was a very cumbersome process.”
Now, some insurance companies are using software that enables them to conduct their own analysis of the prospective client without having to talk to them or have them complete a questionnaire, Farley says. Insurers may use scanning techniques to analyze ports of entry into the prospective client’s networks to see if the ports of entry are vulnerable enough to let a hacker in, as well as to determine which other cyber security controls might be lacking.
With these new capabilities, insurance companies can make an informed decision in seconds, Farley says. If controls are substandard, clients may still be able to get their policies underwritten, but they may have to pay higher premiums. “After they get the policy, if an insurer subsequently discovers a network access point that is not secure, the insurer may request that the client patch it,” he adds.
If the client doesn’t mediate it, the policy may not be renewed. According to Farley, it all depends on the wording of the policy.
“Companies should read their policies very carefully,” he says. “At the very least, a carrier may not renew the policy if no action is taken to remediate the issue.”
Katie Kuehner-Hebert is a writer in California.