For banks and credit unions, COVID-19 led to a surge in virtual viruses.

According to cybersecurity firm VMware Carbon Black in their latest report “Modern Bank Heists 3.0,” banks and financial institutions have experienced a 238% uptick in cyber attacks since February.1

With entire workforces logging in from home computers, tablets and smart phones, there’s a lot more at stake. It’s never been more important for financial institutions to have not just any cyber policy, but the right cyber policy.

Acquiring the right cyber policy for your financial institution

Unlike other business insurance products including general liability and property policies that provide similar coverage across industries, cyber coverage is written to match an organization’s unique risk profile. Having the right policy for your business is about understanding and specifying the right limits, exclusions and gaps in coverage.

On one hand, banks and financial institutions have an advantage over traditional businesses that experience a cyber attack. The highly-regulated financial services industry requires banks and credit unions to have written and tested back-up recovery and business resilience plans in place.

On the other hand, safeguarding each customer’s life savings and personal identifiable information (PII) means there’s more to lose.

When procuring a cyber policy for your financial institution, consider the following parameters:

  1. Base coverage limits on cost of breach mitigation, not total business revenue. Underwriters have traditionally calculated cyber coverage limits based on the financial institution’s annual revenue. But, doing so may not account for the total cost of a data breach, which is what the insurance payout is used for. Instead, estimate breach expenses, including a forensic investigation, notification requirements in each state that you have customers, required credit monitoring and more. Use this metric to determine desired cyber policy limits.
  2. Understand the implications of the policy application. During the quoting process, the financial institution will fill out an application for cyber coverage. Because this application is subsequently used to price the coverage and set exclusions and limits, all cyber protection efforts agreed to in the application must be adhered to once coverage is in place. Make sure you’ve instituted all the systems you claim to have.
  3. Reduce coverage gaps by understanding how all your policies jive. Cyber attack claims are often accompanied by additional lawsuits that can be classified under other policies, including D&O and Crime policies. To get the most out of your insurance coverage, your cyber policy must dovetail with your D&O, crime, property, general liability policy and more.
  4. Know what isn’t covered. When quantifying a cyber insurance claim, the financial institution will be required to tabulate losses and expenses. Cyber policies may offer business interruption coverage that will pay out calculated losses if a network system is compromised and made inoperable whether by a cyberattack or simply a network outage. Each institution must review their own sources of revenue and how they would be impacted based on various scenarios and downtimes.  A cyber policy will not, however, cover a software upgrade to strengthen your network’s resiliency after a breach. Financial embezzlement, even though carried out virtually, is not covered by a cyber policy either, but instead by a crime policy. Consider all potential scenarios when determining what additional coverages you need to supplement your cyber policy.
  5. Readily-available endorsements can be added to a cyber policy. Policy endorsements like a “fines and penalties endorsement” are available to supplement your cyber coverage. Depending on your bank’s niche, endorsements like this can be critical to a business’ ability to survive a data breach intact.

Prevent claims with adequate staff training

Coverage is important when there’s a claim, but preventing the claim in the first place is always preferred. Banks and financial institutions will want to ward off any potential cyber criminals with staff training.

Train your staff to avoid phishing schemes, the most common breach penetration method for banks and other financial institutions. Business email compromise (BEC) scams are common at financial institutions and are designed to trick employees into transferring funds to a cyber criminal’s accounts or disclose customer PII. Criminals are also known to infiltrate organizations and compromise information systems, especially corporate payment systems via links to emails sent to unknowing employees.

Letting the customers, shareholders and employees know what your bank is doing to safeguard their data and money will not only hold you accountable, but will also give investors confidence in your business’ ability to ward off cyber predators.

Contact your HUB Cyber expert for more information on choosing the right coverage for protecting yourself in case of cyber attack on your bank.

https://www.zdnet.com/article/covid-19-blamed-for-238-surge-in-cyberattacks-against-bank/;  https://www.carbonblack.com/resources/modern-bank-heists-2020/