Per a recent CyberEdge Group report, 70 percent of 800 cybersecurity decision makers reported their network had been breached, which is up from 62 percent the year before. Additionally, we have found that a vast majority of hacking incidents are financially motivated, making banks much more likely targets than utilities, for example.
When presenting this trend to bankers, I often hear: “We are a smaller bank, so we are less likely to get hacked,” when in actuality, the opposite can be true. Most cyberattacks are levied against smaller companies whose cybersecurity measures are not as sophisticated.
At the 2014 Cybersecurity Roundtable, Securities and Exchange Commission (SEC) Chairman Mary Jo White stressed how critical cybersecurity is to this country’s infrastructure. Included at that presentation was an SEC-issued 28 point document outlining sample lists of information the agency may request during a cyber breach investigation, including copies of security policies and business continuity plans, proof of cyber insurance, and procedures for verifying the authenticity of funds transfers.
Cyber Liability Insurance and Impact on D&O Liability
When it comes to utilizing insurance to address and respond to cyber risk, there are two areas a bank should be concerned about:
- The expense and liability that can arise in the wake of a cyberattack. (Cyber insurance should cover this.)
- The liability to the board related to the perceived mismanagement of the bank’s cybersecurity, which resulted in the attack. (Directors & officers liability insurance, or D&O, should cover this.)
With regards to cyber liability insurance, it is helpful to understand that there are many coverage components available and not all of them are necessary for every bank. Typical cyber components can include:
- Network liability: Responds to a claim against the bank (including the legal costs and settlements) that results from a breach in network security.
- Regulatory coverage: Responds to costs associated with a regulatory investigation.
- Crisis management: Can include public relations response to mitigate reputational risk.
- Security breach mediation: Can cover costs associated with notification, forensics in response to a breach and credit monitoring. This category generates the highest number of claims for cyber liability insurance.
- E-business interruption and additional expense: Reimburses lost revenue and expenses in order to make the bank whole (i.e. hiring an additional network support team).
- Network Extortion: Reimburses a company for amounts paid to a third party (e.g. the extortionist) or expenses to prevent the actual extortion event from occurring.
When a bank is considering the purchase of a cyber policy, it is important to contemplate all of the exposures to ensure that the bank is selecting the most appropriate coverage for the institution.
Your bank’s cyber risk may also factor into the underwriting of your D&O liability insurance. We are seeing an exponential increase in interest from D&O underwriters regarding the bank’s cyber controls. In a recent AHT Insurance survey, we asked 75 D&O underwriters their level of concern. All D&O underwriters said a company’s cyber risks will factor into D&O underwriting. Sixty percent say it’s a major concern.
We also asked what additional underwriting questions they may have regarding cyber liability. These are the typical questions underwriters ask:
- Please discuss your internal controls and safeguards regarding cybersecurity and if you insure that on a separate tower.
- Do you currently carry cyber insurance and how robust is your IT security?
- What is the company doing to address cyber exposure?
- What is the threshold for board level involvement and public disclosure for cyber events?
- Who is responsible for updating the board on privacy/cybersecurity concerns and how often do they report to the board?
What Can a Bank Do?
Cybersecurity needs to be a discussion at the board level, and should no longer just be thought of as an IT function. This includes board minutes which should reflect that cybersecurity was a regular discussion point. Also, protecting the company’s network alone is not enough. Regulators are increasingly asking questions about how a bank monitors the cyber risk of its vendors.
In summary, cybersecurity needs to be a global risk strategy that permeates throughout the entire company. A proactive approach should be adopted, including fostering a culture of awareness at all levels of the bank.