You are posting a comment about...
Five Questions Banks Should Be Asking About Their Cyber Liability Insurance Policy
Cyber Liability Insurance coverage has been in existence in some form for more than a decade. And with each successive news item detailing yet another major security breach, the need for banks to consider a specific coverage form to protect them from losses due to this exposure becomes more apparent. As repositories of vast amounts of private data on their customers, it is no wonder that community banks report a high incidence of attempts to breach their electronic systems to access and exploit this private information. But while the market for Cyber Liability coverage is fairly mature, there is no standardized coverage and the disparity between forms offered by various carriers remains fairly wide. While there is some commonality between the most basic and the broadest coverage forms on the market, below are some questions you should ask your carrier to answer to help you determine the breadth of coverage you are getting for your premium dollar.
How does your policy respond to vendor management issues?
Many policy forms only respond to breaches of a computer system that is owned or operated by the named insured and loss of information that is contained in that system. But since most banks outsource at least some of their data processing operations, there is a potential gap in coverage if a Bank is held liable for a breach of a vendor’s system when personal data of bank customers is lost as a result. For instance, if a bank has a credit card or consumer lending portfolio and outsources account services, billing, card issuance etc., a breach of that vendor’s system that causes the loss of data that was given to them by the bank could result in a lawsuit against the bank itself. Even if there are indemnification agreements with the vendor, there could still be significant costs associated with responding to the allegations and compelling the vendor to honor their indemnification agreement. We are hearing with some frequency that regulators are questioning banks about their cyber insurance policies and how those policies respond to this very issue. You should verify that your policy of choice includes coverage for liability that arises out of breach of your vendor’s systems for which your bank might be held liable.
What types of data loss are covered by the policy?
While arguably the largest exposure faced by a bank is liability for loss of personally identifiable information of individual customers, the exposure does not end there. You should make sure that your cyber liability policy includes coverage for loss of private corporate information as well. Whether it is in the lending function or other service that a bank provides to its corporate customers, banks often come into possession of private information on their commercial customers as well. Should this information be lost as a result of a security breach, the bank can be held liable for its dissemination. Be sure that your policy has a broad definition of private information to include that of customers that are not natural persons.
What additional pre- and post-claim services are provided to your insureds under your policy?
Under many Cyber Liability coverage forms, the only interaction between the carrier and insured is at application and claim time. While claims handling is the primary concern for those that purchase this coverage, some carriers go beyond this by offering value added services or extensions of coverage in addition to providing liability coverage. Among other items, these services can include the following:
- A hotline to get immediate assistance in the event of a suspected breach
- Payment and/or reduced costs for a security coach to advise the insured on current electronic security issues
- Payment for forensic services when a loss is suspected to determine if and how a breach occurred, to what extent the breach was perpetrated and which customers were affected
- Legal expenses associated with determining the applicability of any breach notification required by law
- Payment for the operation of a Call Center to assist affected customers following a data breach
What’s more, some of the carriers either offer these services using in house staff or they have dedicated relationships with recognized service organizations to provide them. As such, it is not necessary for the insured to source these services themselves, but rather can take advantage of these services almost immediately when needed. Assistance above and beyond merely taking in claims notices should be considered as part of your insurance buying process. Carriers that distinguish themselves in the Cyber Liability market are those that provide meaningful risk management and loss mitigation services along with their policies.
How does your policy cover Notification expenses?
One of the primary benefits of many Cyber Liability forms is the payment of costs associated with notifying affected customers following a breach. But even in this case there can be significant disparity between the various programs you may be reviewing. Many policies will only pay for these expenses when such notification is required by law and will only make those notifications in a form as required the law (i.e. first class mail, public notification in a newspaper, emails etc.). The broader forms, however, provide the insured some flexibility in providing notifications voluntarily, as well as the means of notification beyond that required by law. This feature provides the insured the opportunity to manage reputational damage that may ensue as a result of a breach by going above and beyond what is strictly required by law. In addition, this topic of coverage should be reviewed based on whether a specific dollar amount of coverage is provided or based on the number of notifications made. It would seem that when an insured can select a level of coverage that is driven by the number of notifications that are made, they can do so in line with their size and customer base. In addition, as laws or preferred methods of notification change, the chances of having a limit insufficient to fully defray the costs of notification are mitigated by selecting a policy that stipulates a number of notifications to be covered.
Does your policy cover breaches of your own corporate policy?
Cyber Liability coverage in some form is purchased by an increasing number of banks across the country. But the decision making process should not end by deciding whether or not to buy coverage. Rather, the informed buyer should take the time to understand fully all of the options that they may be presented for review.