Why your bank needs dedicated cyber insurance

When a bank suffers a cyberattack and both customer data and money are stolen, multiple types of insurance can kick in. However, the jury is still out on the amount of financial losses that can be covered, or, in cases like theft from social engineering, if the loss can be covered at all.

Cyber insurance is intended to cover the cost of incurring liability from the theft of customer and/or employee data. Policies typically pay banks to investigate breaches and notify people if their information was exposed or stolen, and many policies will also cover the bank’s defense costs of any legal actions that stem from that.

On the other hand, crime insurance, in the form of a financial institutions bond, typically covers loss of funds from cyberattacks, though there are disputes about exactly how much, if any, this should be depending on the type of fraud.

Take the case of The National Bank of Blacksburg v. Everest National Insurance Co. The $1.2 billion-asset bank in Blacksburg, Va., suffered nearly $2.5 million in losses when fraudsters obtained customer information by hacking into its computer system on two separate occasions. This enabled the criminals to illegally withdraw customer money, post fake deposits and remove nefarious transactions from the targeted accounts, according to the bank. However, the bank says that no customer plastic card or debit card information was stolen.

But after the National Bank of Blacksburg filed a claim, the insurer denied it under the computer and electronic (C&E) crime rider of the bank’s financial institution (FI) bond. Everest National Insurance Co. said that the rider excludes coverage for “loss resulting directly or indirectly from the use, or purported use, of credit, debit, charge, access, convenience or other cards … in obtaining credit or funds” or “loss involving automated mechanical devices.” Instead, the insurer claims that the losses fall under the bank’s FI bond debit card rider, which has a much lower $50,000 single-loss limit than the C&E crime rider’s $8 million single-loss limit.

Action points for community banks

The court had not determined if the insurer’s interpretation was correct, and the case reached a settlement and was dismissed earlier this year.

According to a November 2018 report by New York City-based Marsh brokers Thomas Orrico, the financial institutions Center of Excellence practice leader within Marsh’s FINPRO practice; and Ben Zviti, a senior vice president and financial institutions cyber/crime leader, “Financial institutions with plastic card and ATM exposure should consider seeking to amend the plastic card and ATM exclusions in those policies during upcoming renewals.” “The simplest remedy to the FI bond may be to add carve-backs to both exclusions for losses covered under the computer system fraud insuring agreement,” the report continued.

Community banks should consult with their brokers, who will have expertise about the suite of coverages pertaining to cyberattacks, to ensure they have appropriate coverage to mitigate those risks, Zviti said in an interview. “It is worthwhile to take a deep dive into policies with insurance professionals to make sure what is covered and what is not, in order to identify gaps,” he adds.

Before and during such meetings with their brokers, Zviti advises community bankers to think about the different scenarios “that keep them up at night” and then map those things out to match the particular risks with particular policies.

Before every annual renewal, the Marsh brokers typically conduct strategy meetings with clients, informing them about the latest fraud trends, how insurers are responding and then how clients could be exposed to each risk, Zviti says. That forms a strategy for renewal, identifying new coverages that could apply to specific client needs.

Zviti says it’s a “thoughtful, deliberate process” that requires a meeting with key individuals from risk management at the client’s organization, and sometimes from finance and IT. “It’s a worthwhile process to talk about the different risks, and then find the best solutions for the client,” he says.

Minding the social engineering gap

Another challenge for banks is recovering a loss of funds from social engineering fraud, as currently there are gaps in coverage for such claims.

Social engineering is a type of fraud in which the criminal impersonates a customer and then either emails or calls a bank employee requesting that funds be transferred to another account. Because the bank employee was duped and voluntarily complied with the request, some insurers sometimes deny the claim for resulting loss of funds under their crime policy because there was a “voluntary transfer.”

If properly endorsed with a social engineering endorsement, however, crime policies can cover the stolen funds, says John Farley, the managing director of cyber liability practice at Arthur J. Gallagher in New York City. But without that endorsement on the crime policy, there would likely not be coverage for the lost funds. “But now these types of claims are happening every single day,” Farley says, “so some carriers are now including loss of funds from social engineering in their cyber policies.”

Which vendors are included?

Cyber insurance policies across the industry typically pay for preapproved vendors to handle the aftermath of a cyberattack after the carrier is first notified, Farley says.

Vendors may include an outside privacy attorney to help draft customer breach notification letters if necessary, or an IT forensics investigation firm to track a hacker’s footprints to determine how they got into the network, what data was stolen and whether the hacker is still in the network. Other vendors covered by a cyber insurance policy include companies that can handle large volumes of customer calls and notification mailings if a bank doesn’t have that capability, as well as vendors that can provide crisis management services if a bank doesn’t have the public relations specialists to handle such events.

Staff (specifically risk management and IT) should familiarize themselves ahead of time with the preapproved breach response vendors provided to policyholders to expedite the bank’s incident response, says Emily Lowe, vice president in Willis Towers Watson’s Boston office.

“Many vendors also offer pre-breach services, such as penetration and phishing testing, and consulting services to develop incident response plans,” she says. “If your bank is already engaged with a vendor, let your broker know so that the carrier will approve them, though that does depend on the policy.”

“Both cyber and crime policies play a role in robust risk management programs for community banks.”

—Emily Lowe, Willis Towers Watson

The biggest thing to keep in mind, says Lowe, is that cyber insurance deals with the confidentiality, integrity and accessibility of data and does not cover the value of money. Crime insurance deals with loss of money, whatever form that might take, including securities. “When you think about cyber insurance, you’re looking to cover anything that could compromise the confidentiality, integrity and accessibility of your data,” Lowe says.

A typical cyber insurance policy is intended to cover liability for compromising any personally identifiable information and any corporate confidential information under a bank’s control, she says. These policies also cover the liability of managing a computer network, as well as managing paper records that a bank may still process. Such policies cover employees’ personal data, including sensitive information from background checks when hiring them.

Lowe says, “Both cyber and crime policies play a role in robust risk management programs for community banks.”