Friday, 22 August 2014
With M&A activity in the community bank space setting a feverish pace, requests for Extended Reporting Periods (ERP) on Directors & Officers Liability policies have become a weekly occurrence for brokers and carriers who serve this market. In the vast majority of cases, accepting the ERP on the current policy is the way to go. But this is not universally the case, and buyers and sellers should research their options before putting out premium for the ERP. Not only are terms and conditions of the current policy often negotiable, but those involved in M&A should understand that there are specialty markets that will write ERP without having written the prior coverage which may provide compelling options to consider.
A major point to consider is if the current policy provides coverage as broad as the stakeholders would like to rely on for the next one to six years after closing. This is especially true for those banks that stumbled in the great recession, started to improve and are now attractive targets for purchase. Many of these banks saw their D&O coverage negatively affected and have not seen the broadest of coverage yet be made available to them. Taking an ERP on a policy that may have lower limits and more restrictions may be able to be negotiated to improve coverage with the incumbent carrier or a new carrier.
This consideration is not only important for the management of the purchased bank, but it should also be a concern for the purchasing entity. Most purchase and sale agreements provide indemnification agreements for the benefit of management of the purchased bank to be provided by the purchasing bank. By accepting what may be inferior coverage for the ERP, the purchasing bank is setting itself up to have to indemnify prior management without having a policy that will respond positively to cover this indemnification. There is also the potential for a lawsuit against the purchasing bank for not exercising due care in incepting the ERP on their target's prior policy.
Among all of the considerations undertaken when banks consider mergers, taking ERP on prior D&O policies is often made out of hand. Taking a bit more time to consider options is well spent by all concerned. In a later Bank Bulletin, we will discuss additional considerations that should be made in making this all important purchase.
Posted on 08/22/2014 1:53 PM by Tim Bennett
Wednesday, 23 July 2014
Now more than ever, bank directors and officers should be concerned whether their management liability coverage will be there when they need it most.
Carriers continue to broaden the scope of D&O coverage which now goes well beyond the scope of traditional D&O insurance. Among other possibilities, the dilution or exhaustion of available limits that are paid for the covered bank (the entity), officers and directors can be put in a position of being without coverage when most needed.
The proper placement of an Excess Side A DIC policy can remedy many potential problems with the structure of a D&O program. The benefits that can be provided by an Excess Side A DIC policy include:
The ability of banks to retain competent management and directors often depends on the protection they provide to these individuals from allegations of mismanagement. In addition to a primary management liability policy, insureds should consider the additional placement of an Excess Side A DIC policy to provide an unassailable layer of coverage in the worst of circumstances.
Posted on 07/23/2014 9:21 AM by Tim Bennett
Wednesday, 07 May 2014
Cyber Liability Insurance coverage has been in existence in some form for more than a decade. And with each successive news item detailing yet another major security breach, the need for banks to consider a specific coverage form to protect them from losses due to this exposure becomes more apparent. As repositories of vast amounts of private data on their customers, it is no wonder that community banks report a high incidence of attempts to breach their electronic systems to access and exploit this private information. But while the market for Cyber Liability coverage is fairly mature, there is no standardized coverage and the disparity between forms offered by various carriers remains fairly wide. While there is some commonality between the most basic and the broadest coverage forms on the market, below are some questions you should ask your carrier to answer to help you determine the breadth of coverage you are getting for your premium dollar.
How does your policy respond to vendor management issues?
Many policy forms only respond to breaches of a computer system that is owned or operated by the named insured and loss of information that is contained in that system. But since most banks outsource at least some of their data processing operations, there is a potential gap in coverage if a Bank is held liable for a breach of a vendor’s system when personal data of bank customers is lost as a result. For instance, if a bank has a credit card or consumer lending portfolio and outsources account services, billing, card issuance etc., a breach of that vendor’s system that causes the loss of data that was given to them by the bank could result in a lawsuit against the bank itself. Even if there are indemnification agreements with the vendor, there could still be significant costs associated with responding to the allegations and compelling the vendor to honor their indemnification agreement. We are hearing with some frequency that regulators are questioning banks about their cyber insurance policies and how those policies respond to this very issue. You should verify that your policy of choice includes coverage for liability that arises out of breach of your vendor’s systems for which your bank might be held liable.
What types of data loss are covered by the policy?
While arguably the largest exposure faced by a bank is liability for loss of personally identifiable information of individual customers, the exposure does not end there. You should make sure that your cyber liability policy includes coverage for loss of private corporate information as well. Whether it is in the lending function or other service that a bank provides to its corporate customers, banks often come into possession of private information on their commercial customers as well. Should this information be lost as a result of a security breach, the bank can be held liable for its dissemination. Be sure that your policy has a broad definition of private information to include that of customers that are not natural persons.
What additional pre- and post-claim services are provided to your insureds under your policy?
Under many Cyber Liability coverage forms, the only interaction between the carrier and insured is at application and claim time. While claims handling is the primary concern for those that purchase this coverage, some carriers go beyond this by offering value added services or extensions of coverage in addition to providing liability coverage. Among other items, these services can include the following:
What’s more, some of the carriers either offer these services using in house staff or they have dedicated relationships with recognized service organizations to provide them. As such, it is not necessary for the insured to source these services themselves, but rather can take advantage of these services almost immediately when needed. Assistance above and beyond merely taking in claims notices should be considered as part of your insurance buying process. Carriers that distinguish themselves in the Cyber Liability market are those that provide meaningful risk management and loss mitigation services along with their policies.
How does your policy cover Notification expenses?
One of the primary benefits of many Cyber Liability forms is the payment of costs associated with notifying affected customers following a breach. But even in this case there can be significant disparity between the various programs you may be reviewing. Many policies will only pay for these expenses when such notification is required by law and will only make those notifications in a form as required the law (i.e. first class mail, public notification in a newspaper, emails etc.). The broader forms, however, provide the insured some flexibility in providing notifications voluntarily, as well as the means of notification beyond that required by law. This feature provides the insured the opportunity to manage reputational damage that may ensue as a result of a breach by going above and beyond what is strictly required by law. In addition, this topic of coverage should be reviewed based on whether a specific dollar amount of coverage is provided or based on the number of notifications made. It would seem that when an insured can select a level of coverage that is driven by the number of notifications that are made, they can do so in line with their size and customer base. In addition, as laws or preferred methods of notification change, the chances of having a limit insufficient to fully defray the costs of notification are mitigated by selecting a policy that stipulates a number of notifications to be covered.
Does your policy cover breaches of your own corporate policy?
Cyber Liability coverage in some form is purchased by an increasing number of banks across the country. But the decision making process should not end by deciding whether or not to buy coverage. Rather, the informed buyer should take the time to understand fully all of the options that they may be presented for review.
Posted on 05/07/2014 7:52 AM by Tim Bennett
Tuesday, 01 March 2011
Vendor management is a hot button issue for banks prompted by and in the face of regulatory pressure. Regulations are constantly changing, and regulatory enforcement continues to increase in its intensity and frequency. There are three primary reasons why bank regulators have a heightened interest in vendor management:
• A greater reliance on third parties by banks;
Regulatory compliance raises the importance of vendor management concerns since members of the board of directors can be held personally liable for non-compliance situations.
According to the FDIC statement dated June 6, 2008, the board of directors and senior management are ultimately responsible for identifying and controlling the risks associated with third-party relationships, including the potential for misuse of confidential customer information or violations of rights to privacy of bank customers.
An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, “to the same extent as if the activity were handled within the institution.”
The first step is to develop and adopt a formal vendor compliance management policy. The development and adoption of a policy will bring the issue to the Board’s attention, which is ultimately responsible for the process, and highlight the importance of the program to all levels of management.
There are several firms that offer viable software to assist in the development of an appropriate bank policy. We recommend that bank management contact several of these companies and seek proposals for consideration.
A bank’s management is obviously conscious of the critical role they play in protecting their customer’s confidential information and the importance of public confidence in order to attract and maintain relationships with consumers. Every institution that’s been involved in a compromise of confidential customer information has also experienced some loss of public confidence, affecting not only the existing customers of the institution but potential customers and an array of others that are directly or indirectly involved with it.
Gramm-Leach-Bliley crystallized the financial services industry’s responsibility in protecting personal financial information. Once this information is compromised, in addition to the potential for loss of customer confidence, the institution also is subject to liabilities to those whose information was compromised. This is true of information in the care and custody of a bank and of any third party vendors used by the bank that must have access to this information.
These liabilities can result in a substantial financial loss to the institution potentially affecting its profitability and capital structure. It is critical therefore, that management institution appropriate policies and procedures in accordance with the FDIC and other federal or state banking authority mandates.
Posted on 03/01/2011 10:43 AM by test
Tuesday, 01 March 2011
Financial Institutions are exposed to the potential for environment risks as a result of properties it owns, properties on which it has foreclosure, properties it manages or holds in trust, and property held as collateral for a loan if the institution engages in decisions that affect the environment.
Environmental questions that bank management should consider in terms of considering offering a loan on a specific property
• Is there any known pollution?
Posted on 03/01/2011 10:41 AM by test