According to NetDiligence’s 2015 Cyber Claims Study, the average number of records exposed in a data breach has climbed from 1.4 million in 2012 to 3.2 million in 2015, and the financial services sector remains a popular target (with 17 percent of data breaches, second only to the healthcare sector with 21 percent). As a result of this growing degree and complexity of risk, the landscape of cyber-liability and cyber-security insurance is undergoing dramatic change. “The coverage that’s available in this area is in greater flux than any area since the product liability insurance crisis in the 1980s,” said Mark Foley, attorney at von Briesen & Roper, s.c. “About a dozen of the major companies writing cyber-security coverage are reviewing their policies on an annual or semiannual basis for changes in coverage.”
This accelerated evolution requires bank directors and management to reassess their coverage on a much more frequent basis than in the past. Many D&O policies offer coverage for significant expenses associated with cyber-liability, but typically do not include post-breach response assistance. Because of that, more community banks are purchasing specialty insurance to protect the institution. According to Jeff Otteson, vice president of sales at Midwest Bankers Insurance Services (MBIS), roughly 50 percent of institutions purchase a separate specialty cyber-liability and crisis management expense policy. In order to make an informed decision regarding the bank’s cyber-liability and cyber-security insurance, management and the board of directors must first understand their options and then undergo an assessment to determine the best coverage for their institution’s unique needs.
Understand Your Options
It’s important for bank management to understand that cyber-liability coverage is not simply coverage for e-banking services. Nicholas Economidis, E&O underwriter at Beazley, a specialist insurer, clarified this common misconception. “Cyber-liability is about coverage for liability associated with a loss, theft or unauthorized disclosure of information, as well as for expenses associated with a data breach event,” he said. The two basic classifications of coverage are first- and third-party. Foley explained that first-party insurance protects the institution against its own losses and expenses related to a breach, whereas third-party coverage protects against claims by third parties (such as the bank’s customers, affiliates, or service providers) for losses they suffer because of a data breach at the bank. “You need both first- and third-party coverage in connection with a data breach,” Foley advised. One benefit of choosing a policy with both first- and third-party coverage is that it avoids overlapping policies with the bank’s other insurance carriers. “Overlapping policy language can lead both to unnecessary and expensive duplication of coverage or to dangerous coverage gaps and disputes,” Foley added.
Due to the complex nature of cyber-security, there is a wide variety of coverages available to financial institutions, each with its own merits. “Many bankers feel that all cyber-liability policies are created equal, but they’re not,” said Otteson. “Each carrier has unique policy language, limit structure, exclusions and pre- and post- breach risk management offerings or services.” That variety means it is critical for bank management and directors to ask questions and thoroughly review their options. “The most important thing for directors is to make sure they understand the nature, likelihood, and potential ramifications of all the risks and therefore all of the types of coverage that they could purchase so that they’re making an informed decision as to which ones to buy,” said Foley.
Economidis suggested looking for three different coverage features. One important type of coverage to consider is regulatory defense and penalties coverage, preferably provided on a duty to defend basis. “Financial institutions are heavily regulated and may be subject to regulatory scrutiny after a breach event,” Economidis said. He also recommended seeking coverage for breach response services provided outside the limit of liability available for defense and indemnity of a claim, as well as a careful exploration to determine what coverage is offered to the bank in the event a third-party vendor they use suffers a breach or loss of information in their care. Otteson recommends bank management also consider each policy’s limit structure with regard to the liability limits and the crisis management expense limits. Typically, crisis management expense limits include forensics, credit and identity monitoring, public relations and notification expenses after a breach. Some policies offer separate “towers” of coverage limits, which will not erode the liability limit. Otteson said that when the expense limits are shared with the liability limit, community banks should increase their liability limit in proportion with the expense limit.
Follow a Selection Process
Each institution has unique coverage needs, so assessing policies will be different. However, establishing a set procedure for identifying the bank’s needs and risk tolerance and evaluating policy options will make the renewal process much smoother. “The nature of the risk is changing quickly, so the nature of the insurance that’s available is also changing quickly,” said Foley. “It’s not just a matter of looking at whether the premium has changed when it comes time for renewals.” He advised boards to do in-depth review of the bank’s coverage at least annually.
The first step in such a review should be to forecast the bank’s expected losses and determine its risk tolerance. “Banks should attempt to forecast the expected loss associated with a data breach event both from a worst-case scenario as well as a probable-loss scenario,” said Economidis. “Then, with these figures in mind, banks should consider how much risk they are comfortable retaining, and seek to purchase insurance for the remaining risk.” Otteson advises bank management to also consider the number of customers the institution has (including past customers, current employees, and past employees), as that drives the cost for notifications after a breach, along with the cost of credit and identity monitoring. Economidis also recommended using benchmarks as a litmus test regarding the amount of coverage that institutions of similar size have purchased. “This benchmarking process can provide a reality check for the loss forecasts generated earlier in the process,” he said.
Perhaps the most important step in any cyber-liability coverage assessment is determining what isn’t covered under a particular policy. “Businesspeople typically don’t know what a policy does not cover,” Foley said. He explained that confusion results from both new technology terms unfamiliar to senior management and state-of-the-art insurance terms which have been litigated for decades – sometimes centuries – and require a level of expertise that most individuals outside the industry haven’t acquired.
Get Expert Advice
Obtaining the services and advice of external experts, such as a broker or lawyer, is crucial for a thorough and successful review of the bank’s cyber-liability and cyber-security insurance coverage. “Because the changes are so fast and furious, you should work with a broker, consultant, or lawyer who knows this area and can help you assess what you need and help you find someone who’s offering it,” Foley said. “Foremost, work with a broker that has expertise in cyber-liability,” Economidis agreed. “After that, attain quotes from key markets and work with your broker to understand the key distinctions between various offerings.” In addition to external expertise, Otteson highly recommends that bank management involve their IT Department when doing carrier reviews and due diligence. “As the climate changes and exposures become greater, a best practice would be for community banks to engage their IT experts regarding their cyber exposures and the policies the bank purchases,” he said. Involving the bank’s IT experts in the insurance assessment may also lead management to better understand which vulnerabilities can be rectified through technical or policy means, and which risks require insurance because they cannot be fully mitigated by the bank.
Bank management should ensure that the board of directors understands that they cannot – and should not – assume the bank can handle a data breach internally. “The biggest mistake insured and potential insureds make is assuming that they’re prepared to handle a data breach event,” said Economidis, noting that most institutions have little, if any, experience handling such events and are therefore ill-equipped to do so effectively or efficiently. “Institutions should seek insurers, or other partners, with significant breach experience for assistance with a breach event,” he said. “Every bank should have a written computer incident response and investigation plan that is practiced and updated at least annually.” In short, don’t handle a breach event alone.
Seitz is WBA communications coordinator.