September 1, 2015
Authored by: Jerry Blanchard and David Zetoony
Digging a tunnel for a mile so that El Chapo could slip into the shaft through his shower and disappear from a high security Mexican prison is something you might expect a Hollywood screenwriter to come up with. Is it any more remarkable though than a cyber-criminal reaching all of the way around the world to try and slip into a bank’s or a customer of the bank’s computer system in order to initiate a wire transfer?
We live at a time when individuals and criminal gangs can reach across oceans and national boundaries to try and initiate unauthorized transfers of funds. Bankers understand that this is a hot topic and that the risk of cyber-fraud is what is currently keeping regulators awake at night. While a great deal of attention is now being focused on how to keep cyber criminals out of the bank, recent attacks on various public and private institutions illustrates the complexity of denying malefactors access.
In such an environment, bankers look to various risk management strategies including insurance coverage in the event a breach occurs. The first question many banks raise is about their existing insurance coverage Are we already covered under any of the myriad of existing policies we are required to maintain? For example, what about our general liability coverage? While there may be some exceptions, the typical general liability insurance policy that banks have traditionally purchased oftentimes contains an exclusion for losses incurred by data breaches or intrusions to bank networks. If your existing policy does not currently contain such an exclusion it is highly likely that on your next renewal the exclusion will be included. Thus, it is important for bankers to not only understand what their existing policy does or does not cover but also where industry trends are headed.
Typical fidelity bonds are also problematic. Fidelity bond coverage typically covers losses as a result of dishonest or fraudulent acts by officers and employees, attorneys retained by the bank, and non-employee data processors while performing services for the insured. Various clauses to the policy also cover losses resulting directly from (a) robbery, burglary, misplacement, mysterious unexplainable disappearance and damage thereto or destruction thereof, or (b) theft, false pretenses, common law or statutory larceny, committed by a person present in an office or on the premises of the bank. Other sections address losses arising from forgeries and counterfeit currency. Again, they typically do not cover losses of information such as customer social security numbers or copies of tax returns provided to the bank in its underwriting process.
Having noted that existing insurance coverage may not address cyber risks, the question becomes, exactly what risks are we talking about? The losses that a bank is seeking protection from fall into several categories. The first, appropriately enough, includes “first party” losses which are ones directly incurred by the bank such as notifying customers about the breach, investigations into exactly how the breach occurred, and repairing damage to internal systems. Third party losses include expenses incurred in defending the bank against law suits and payments to those who may have suffered damages as a result of the data breach such as reimbursing a customer for funds transferred out of their account.
Cyber risk policies are not identical, there can be large differences between what individual policies cover and the insurance limits. When analyzing a policy, items the bank should consider include:
- How many customers does the bank have now and how many will it add in the near future? What are the expected costs of notifying all of those customers of a breach? How much will credit monitoring costs for that number of customers? You should also take into account additional call center support for dealing with affected customers. Underfunding call support is oftentimes what brings in additional regulatory and legislative attention.
- Regulatory expenses for dealing with a breach can be considerable. Not all cyber policies include regulatory coverage and those that do may exclude coverage for investigations brought by the regulator that is likely to look at the bank. You will also need to factor in possible civil money penalties and consumer redress.
- Although most policies cover litigation, many exclude from their coverage the types of legal theories that consumers are most likely to assert. As a result, at best some insurers may try to apportion coverage only to some of the asserted claims. At worst, they may try to deny coverage altogether.
- You should pay particular attention to how the regulatory action is defined. For example, is it restricted to only those situations where a regulator such as the FDIC threatens potential liability or does it also cover investigations where no monetary penalty is assessed. The expense can grow depending on how many regulatory agencies the bank must deal with. For example, are you dealing with just the FDIC or the FDIC, CFPB, state regulatory agencies and the Federal reserve. A good ballpark figure in today’s environment is $250,000 although that number can fluctuate greatly depending on whether you are dealing with one or a multitude of agencies..
- Crisis management expense is oftentimes included as a separate category and can include the cost of retaining resources to assist the bank in responding to, and investigating, a data security incident such as attorneys, forensic investigators, and public relations firms.
It is no secret that state and federal banking agencies are placing a lot more attention on the subject of cyber risks. In December of last year the New York Department of Financial Services notified NY chartered banks that its IT exam will now focus on cyber insurance coverage and other third party protections. Sarah Bloom Raskin, a Deputy Treasury Secretary, addressed the need for cyber insurance in a speech to the Texas Bankers Association, noting that over 50 carriers now offer some sort of cyber insurance products. She followed this up with comments in July to the ABA Summer Leadership Meeting where she noted how important it was that “when it comes to cyber risk, banks should understand the coverage afforded by, and excluded from, the entirety of their insurance program, including the conditions and exclusions of their cyber risk insurance policy.”
As we noted above, there is no “standard” cyber risk policy as of yet and banks must understand the right questions to ask to make sure that the coverage they need is what they are actually being offered. Our Financial Institutions and Global Data Privacy Security Teams are well versed in bank insurance and the legal and regulatory risks presented by a data breach. We have assisted companies in analyzing the entirety of their insurance program and would be glad to assist you in reviewing existing coverage or guiding you as you look at future options.