With M&A activity in the community bank space setting a feverish pace, requests for Extended Reporting Periods (ERP) on Directors & Officers Liability policies have become a weekly occurrence for brokers and carriers who serve this market. In the vast majority of cases, accepting the ERP on the current policy is the way to go. But this is not universally the case, and buyers and sellers should research their options before putting out premium for the ERP. Not only are terms and conditions of the current policy often negotiable, but those involved in M&A should understand that there are specialty markets that will write ERP without having written the prior coverage which may provide compelling options to consider.
A major point to consider is if the current policy provides coverage as broad as the stakeholders would like to rely on for the next one to six years after closing. This is especially true for those banks that stumbled in the great recession, started to improve and are now attractive targets for purchase. Many of these banks saw their D&O coverage negatively affected and have not seen the broadest of coverage yet be made available to them. Taking an ERP on a policy that may have lower limits and more restrictions may be able to be negotiated to improve coverage with the incumbent carrier or a new carrier.
This consideration is not only important for the management of the purchased bank, but it should also be a concern for the purchasing entity. Most purchase and sale agreements provide indemnification agreements for the benefit of management of the purchased bank to be provided by the purchasing bank. By accepting what may be inferior coverage for the ERP, the purchasing bank is setting itself up to have to indemnify prior management without having a policy that will respond positively to cover this indemnification. There is also the potential for a lawsuit against the purchasing bank for not exercising due care in incepting the ERP on their target's prior policy.
Among all of the considerations undertaken when banks consider mergers, taking ERP on prior D&O policies is often made out of hand. Taking a bit more time to consider options is well spent by all concerned. In a later Bank Bulletin, we will discuss additional considerations that should be made in making this all important purchase.
Now more than ever, bank directors and officers should be concerned whether their management liability coverage will be there when they need it most.
Carriers continue to broaden the scope of D&O coverage which now goes well beyond the scope of traditional D&O insurance. Among other possibilities, the dilution or exhaustion of available limits that are paid for the covered bank (the entity), officers and directors can be put in a position of being without coverage when most needed.
The proper placement of an Excess Side A DIC policy can remedy many potential problems with the structure of a D&O program. The benefits that can be provided by an Excess Side A DIC policy include:
The ability of banks to retain competent management and directors often depends on the protection they provide to these individuals from allegations of mismanagement. In addition to a primary management liability policy, insureds should consider the additional placement of an Excess Side A DIC policy to provide an unassailable layer of coverage in the worst of circumstances.
Cyber Liability Insurance coverage has been in existence in some form for more than a decade. And with each successive news item detailing yet another major security breach, the need for banks to consider a specific coverage form to protect them from losses due to this exposure becomes more apparent. As repositories of vast amounts of private data on their customers, it is no wonder that community banks report a high incidence of attempts to breach their electronic systems to access and exploit this private information. But while the market for Cyber Liability coverage is fairly mature, there is no standardized coverage and the disparity between forms offered by various carriers remains fairly wide. While there is some commonality between the most basic and the broadest coverage forms on the market, below are some questions you should ask your carrier to answer to help you determine the breadth of coverage you are getting for your premium dollar.
How does your policy respond to vendor management issues?
Many policy forms only respond to breaches of a computer system that is owned or operated by the named insured and loss of information that is contained in that system. But since most banks outsource at least some of their data processing operations, there is a potential gap in coverage if a Bank is held liable for a breach of a vendor’s system when personal data of bank customers is lost as a result. For instance, if a bank has a credit card or consumer lending portfolio and outsources account services, billing, card issuance etc., a breach of that vendor’s system that causes the loss of data that was given to them by the bank could result in a lawsuit against the bank itself. Even if there are indemnification agreements with the vendor, there could still be significant costs associated with responding to the allegations and compelling the vendor to honor their indemnification agreement. We are hearing with some frequency that regulators are questioning banks about their cyber insurance policies and how those policies respond to this very issue. You should verify that your policy of choice includes coverage for liability that arises out of breach of your vendor’s systems for which your bank might be held liable.
What types of data loss are covered by the policy?
While arguably the largest exposure faced by a bank is liability for loss of personally identifiable information of individual customers, the exposure does not end there. You should make sure that your cyber liability policy includes coverage for loss of private corporate information as well. Whether it is in the lending function or other service that a bank provides to its corporate customers, banks often come into possession of private information on their commercial customers as well. Should this information be lost as a result of a security breach, the bank can be held liable for its dissemination. Be sure that your policy has a broad definition of private information to include that of customers that are not natural persons.
What additional pre- and post-claim services are provided to your insureds under your policy?
Under many Cyber Liability coverage forms, the only interaction between the carrier and insured is at application and claim time. While claims handling is the primary concern for those that purchase this coverage, some carriers go beyond this by offering value added services or extensions of coverage in addition to providing liability coverage. Among other items, these services can include the following:
What’s more, some of the carriers either offer these services using in house staff or they have dedicated relationships with recognized service organizations to provide them. As such, it is not necessary for the insured to source these services themselves, but rather can take advantage of these services almost immediately when needed. Assistance above and beyond merely taking in claims notices should be considered as part of your insurance buying process. Carriers that distinguish themselves in the Cyber Liability market are those that provide meaningful risk management and loss mitigation services along with their policies.
How does your policy cover Notification expenses?
One of the primary benefits of many Cyber Liability forms is the payment of costs associated with notifying affected customers following a breach. But even in this case there can be significant disparity between the various programs you may be reviewing. Many policies will only pay for these expenses when such notification is required by law and will only make those notifications in a form as required the law (i.e. first class mail, public notification in a newspaper, emails etc.). The broader forms, however, provide the insured some flexibility in providing notifications voluntarily, as well as the means of notification beyond that required by law. This feature provides the insured the opportunity to manage reputational damage that may ensue as a result of a breach by going above and beyond what is strictly required by law. In addition, this topic of coverage should be reviewed based on whether a specific dollar amount of coverage is provided or based on the number of notifications made. It would seem that when an insured can select a level of coverage that is driven by the number of notifications that are made, they can do so in line with their size and customer base. In addition, as laws or preferred methods of notification change, the chances of having a limit insufficient to fully defray the costs of notification are mitigated by selecting a policy that stipulates a number of notifications to be covered.
Does your policy cover breaches of your own corporate policy?
Cyber Liability coverage in some form is purchased by an increasing number of banks across the country. But the decision making process should not end by deciding whether or not to buy coverage. Rather, the informed buyer should take the time to understand fully all of the options that they may be presented for review.
Vendor management is a hot button issue for banks prompted by and in the face of regulatory pressure. Regulations are constantly changing, and regulatory enforcement continues to increase in its intensity and frequency. There are three primary reasons why bank regulators have a heightened interest in vendor management:
• A greater reliance on third parties by banks;
• Regulations regarding data privacy and security; and,
• Increased focus on data safety due to publicized data breaches.
Regulatory compliance raises the importance of vendor management concerns since members of the board of directors can be held personally liable for non-compliance situations.
According to the FDIC statement dated June 6, 2008, the board of directors and senior management are ultimately responsible for identifying and controlling the risks associated with third-party relationships, including the potential for misuse of confidential customer information or violations of rights to privacy of bank customers.
An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, “to the same extent as if the activity were handled within the institution.”
The first step is to develop and adopt a formal vendor compliance management policy. The development and adoption of a policy will bring the issue to the Board’s attention, which is ultimately responsible for the process, and highlight the importance of the program to all levels of management.
There are several firms that offer viable software to assist in the development of an appropriate bank policy. We recommend that bank management contact several of these companies and seek proposals for consideration.
A bank’s management is obviously conscious of the critical role they play in protecting their customer’s confidential information and the importance of public confidence in order to attract and maintain relationships with consumers. Every institution that’s been involved in a compromise of confidential customer information has also experienced some loss of public confidence, affecting not only the existing customers of the institution but potential customers and an array of others that are directly or indirectly involved with it.
Gramm-Leach-Bliley crystallized the financial services industry’s responsibility in protecting personal financial information. Once this information is compromised, in addition to the potential for loss of customer confidence, the institution also is subject to liabilities to those whose information was compromised. This is true of information in the care and custody of a bank and of any third party vendors used by the bank that must have access to this information.
These liabilities can result in a substantial financial loss to the institution potentially affecting its profitability and capital structure. It is critical therefore, that management institution appropriate policies and procedures in accordance with the FDIC and other federal or state banking authority mandates.
Financial Institutions are exposed to the potential for environment risks as a result of properties it owns, properties on which it has foreclosure, properties it manages or holds in trust, and property held as collateral for a loan if the institution engages in decisions that affect the environment.
Environmental exposures can be broken down into five basic categories:
• Property – including damage to real property owned or to property of others.
• Injuries – including physical injuries to others, health effects, psychological stress, death involving employees, customers, guests and others that the courts consider as being owned some degree of care and protection.
• Business Interruption – either temporary or permanent reduction of a legitimate business activity because of an accident or event beyond the control of an owner, tenant, or the bank that results in loss of income as a result of an environmental impairment. Also, the extra expenses associated with pollution and attempt to continue business operations.
• Environmental – involving damage or potential damage to natural resources such as forests, land, air or water.
• Diminution of Value – loss from the diminished value of property as a result of being contaminated. Examples would include buildings that contain either lead paint or asbestos.
Legal liability costs and expenses involved with cleanup are not the only threat to financial institutions. For example, a mortgaged property may be so environmentally impaired that its owners may not be able to continue to service their loan obligations. Ultimately, in many cases, these loans may have to be marked down decreasing the assets of the institution, and potentially reducing its profitability and even impairing the bank’s capital.
Environmental questions that bank management should consider in terms of considering offering a loan on a specific property
• Is there any known pollution?
• Is there a possibility that contamination exists but is yet undiscovered?
• Are there underground storage tanks on the property?
• What is the potential for an environmental loss from ongoing operations?
• What impact would a loss have on the operations of the mortgagor?
• Will the damage cause an impediment to the loan?
• Is the mortgagor insured for environmental losses?
• If there is a loss, will the mortgagor be able to meet its obligations to all parties, the government, and the financial institution?
• How can the financial institution be kept informed of environmental exposures and risks?
• How can the financial institution prevent such occurrences from happening?
Today, financial institutions have become increasingly concerned with environmental risks, and typically require Phase I site assessments before granting industrial and commercial property loans and make periodic site surveys to ensure there are no developing risks or exposures that would significantly impact the mortgaged asset.
Courts have held to their original position that lenders may find some limited exemptions from direct environmental liability if they do not participate in the management of the borrower’s business and do not do anything that may contribute to pollution or take actions that would prevent avoidance or correction of a hazardous chemical spill or waste disposal.
Properties held in trust can create the potential for liability to the institution if it failed to conduct appropriate due diligence on the property. Site assessments are valuable tools to avoid potential liability by identifying any environmental risks, followed by full disclosure to the owner or beneficiaries of a trust. This followed by the establishment of appropriate direction to mitigate the potential for direct loss or liability to the trust, its beneficiaries or others is prudent.
There’s a great resource available to banks in the form of the Environmental Bankers Association, based in Alexandria, Virginia. Since its establishment, this association has been involved in establishing model environmental policies and the development of an information clearinghouse for banks.
The intent of this association is to assist its members through the use of better methods to manage their environmental risks. The principal concerns addressed by the association are environmental liabilities that arise out of lending, trust services, and management of any bank’s own properties and facilities.