The ingenuity of cyber threats is increasing rapidly. So are the premiums that community banks are paying for cybersecurity insurance.
Cyber criminals focus on two things, according to Jared Gentile, cyber lead for the financial institutions group at Travelers Insurance. “They’re financially motivated, and they’re constantly looking to modify the methods they use to perpetrate their attacks.”
Cyber insurance has been the go-to answer, but now, some bankers are balking at rising premiums.
For the first quarter of 2023, cyber insurance premiums increased by an average of 8.4%, according to the Council of Insurance Agents & Brokers (CIAB). This is far less than the 15.0% average hike in the last quarter of 2022, but it’s still a hefty sum.
While high premiums may be painful, most community bankers find paying preferable to the alternative: the financial, reputational and regulatory damage of an attack. As premium costs rise, however, it’s important to make sure your policy covers
the range of threats out there so you get the proper help in the event of a catastrophe.
Emerging cyber threats to community banks
New threats range from escalations of traditional ransomware attacks (see sidebar below) and phishing scams enabled by AI to third-party exposure and “bricking.”
Travelers, for instance, has added coverage for bricking, the term for an attack in which “bad actors are able to damage equipment to the point where it can no longer be used … and becomes about as useful as a brick,” says Gentile.
While traditional cyber policies cover the costs of data restoration and notifying customers that a breach occurred, bricking provisions can cover the replacement of equipment that is now useless, he says.
Another potential threat stems from phishing attacks enabled by bad actors using AI to steal identities. ChatGPT and other generative AI tools have given criminals the ability to convincingly mimic speech patterns and other identifying information.
Finally, an area of growing concern is cyberattacks striking third-party vendors critical to a community bank’s operations.
Sean Gremillion, senior vice president of underwriting at Resilience, a managing general agent with underwriting authority from an insurer, recommends vendor interruption coverage to help community banks pay for problems stemming from a third-party vendor
finding itself under attack.
“Threat actors are looking for known vulnerabilities in your systems. But so are we.”
—Jared Gentile, Travelers Insurance
A virtuous circle
Cyber insurance policies don’t just provide financial assistance for new types of emerging threats. Some include pre-breach risk reduction services like support for incident response planning and disaster recovery testing. Others will provide active monitoring of their policyholders to alert them of novel threats and help patch that discovered vulnerability. Overall, cyber insurance policies help community banks strengthen their own cybersecurity efforts.
Like joining a gym or signing up for an adult education course, taking action brings its own benefits. For community banks, acquiring cyber insurance makes an institution less likely to fall prey to hackers or other bad actors.
“Buying cyber insurance makes you a better risk, because the insurance companies aren’t going to [underwrite] you unless they have a degree of confidence you’re doing the right things,” says David Anderson, vice president, cyber liability, at Woodruff Sawyer, an insurance brokerage and consulting firm.
“The cyber insurance underwriting process is extremely detailed and makes sure that all your ducks are in a row,” he explains. Insurance providers also coach community banks on the latest threats.
And when a community bank does fall prey to a cyberattack, Travelers and other insurance carriers are “able to coordinate and engage and employ lawyers, forensic accountants, data restoration experts and PR advisors—within hours,” says Gentile.
Travelers also engages in “betterment,” its term for improving a bank’s systems to prevent future attacks.
“After a claim,” says Gentile, “if a bank still has information security vulnerabilities or an infrastructure issue, we want to partner with them to help reduce the financial burden of making those improvements, with the mutual goal of reducing the threat of a future attack.”
As the insurer–customer relationship evolves, community bankers are finding that their cyber insurance agent is not only selling protection against known threats. It has become a partner that can help ward off future threats.
“Threat actors are looking for known vulnerabilities in your systems,” Gentile concludes. “But so are we.”
Ransomware: how a threat can morph
One of the reasons the price tag for ransomware attacks is so difficult to calculate? No one knows how large a ransom demand will be.
According to David Anderson, vice president, cyber liability, at Woodruff Sawyer, financial institutions possess extremely valuable information and so the ransoms are typically quite high.
Historically, some banks have refused to pay ransoms, trusting in their backups and their ability to restore their own systems. However, that may need to change.
“[Some ransomware groups] have begun saying, ‘We have everyone’s information,’” notes Anderson. “‘If you don’t pay the ransom, we’re going to publish it all over the dark web, we’ll sell it to criminal operations, and customers [may] start experiencing identity theft and other losses.’
“The ransomware threat,” he says, “just continues to get more horrific.”