The arms race that is computer security goes on and on. As your fraud prevention systems get better, the bad guys get better at being bad. Your insurance must be robust to help you pick up the pieces if things go wrong.
This discussion focuses on insurance for situations involving fraud where computers are the access or repository of assets. Losses can take two forms:
• Direct loss of bank assets by means of a computer and/or
• Lawsuits alleging negligence over improper computer security.
Losses to bank assets (also called first-party losses) are events that cause direct loss of money, loss of property, or damage to property.
Examples are a hacker stealing money, or inserting malicious code into the bank’s computer system. Perhaps a bad-guy uses your e-banking system to steal funds from a customer account. The loss can be a fraudulent funds transfer that utilizes or is facilitated by computers.
Lawsuits come from an allegation of your bank’s negligence by a customer, customer’s customer, or other third party.
Examples are an event where your failure to secure your computers allowed hackers steal a customer’s money or gain access to customer’s private information. Fraudsters access a customer account; remove funds—in the resulting confusion the customer is unable to take advantage of an opportunity meaning your customer loses income or profit. The customer sues the bank to recoup the loss.
A variety of insurance policies protect the bank, both from loss of assets and loss from lawsuit.
The bank’s property insurance should protect the computer hardware and the expenses incurred in a loss of the actual computer system. Not limited to fraud losses, the policy includes fire, windstorm, flood, mechanical breakdown, and voltage surge. The same policy protects the bank from vandalism of its computers and can include coverage for repairs because of virus and malicious software.
Key coverage considerations are assurance that the dollar-amount of coverage is adequate to replace the computers lost. The removal of any coinsurance penalty is critical in the design of a good property insurance program.
Make sure all bank locations are included in the description of coverage.
Financial institution fraud-bond
The financial institution fraud-bond is the primary insurance coverage for loss of money from fraud. The policy includes protection for employee dishonesty, cyber theft, electronic funds transfer fraud, and debit card fraud.
A review of the bank fraud-bond will show a list of coverage sections.
Computer systems fraud coverage provides for a loss of property caused by the entry to or change of electronic data or of a computer program within the bank’s computer system. Here is coverage for hackers stealing money, moving funds, changing account balances, and the like.
Some insurers include a variety of other coverages within the computer fraud coverage—funds transfer fraud, damage by hackers, damage by virus (including loss of data). Other insurers have separate coverage sections for transfer fraud, hacking, and viruses. Review your policy to learn the structure of your protection.
A key coverage issue is the definition of “computer system.” Be sure that your service provider’s computer systems are included in the definition included in your policy.
Debit card fraud coverage is often included in the fraud-bond. The protection responds to the actual fraudulent use of a debit card. However, be aware that high deductibles ($50,000 to $250,000) often effectively remove the utility of the insurance, as most debit card losses are below $5,000.
Kidnap and extortion insurance is not often considered an area of cyber coverage, until you consider the idea of cyber extortion. The fraud-bond used by most insurers includes coverage for an extortion attempt that focuses on computers or computer data. My most-used example: A caller claims to have access to the bank’s computers and will release funds to offshore accounts if the bank does not pay the demanded sum.
This is the coverage for a lawsuit alleging that faulty computer security caused a financial loss to a customer or other third party.
Perhaps a better name would be “computer liability insurance.”
Let’s say hackers access your bank’s system and steal your account holder’s private information—social security numbers, addresses, dates of birth, PIN numbers, and the like. That information is used against your customers, who seek restitution from the bank through a lawsuit. That action may be an individual suit or a class action.
A fraudulent transfer of funds might result in a loss of a business opportunity or a loss of a customer’s reputation. Suit is brought against the bank alleging negligence and a failure in the duty of protecting a customer.
The purpose of the policy is to respond to lawsuits that come at the bank out of the use of the bank’s computer system. Most often these suits involve an allegation that there was a failure to protect the privacy or private information of your customer.
An often-overlooked coverage pays the cost to notify your customers of a data breach. Federal and state laws require that the custodian of private information notify those whose information has been compromised. Notification expenses can reach $200 per name. A data breach of three thousand individuals that can mean $600,000 in mitigation expenses. Many cyber-liability policies have $100,000 or less of coverage for breach notification expenses. Review the limits in your policy.
How much insurance should you buy?
Choice of deductibles and limits of coverage can be tricky. Various groups put out peer-data. These charts tell you what other similar organizations buy for coverage. However, they do not tell you if your insurance is adequate to meet lawsuits or losses.
I suggest that the peer data is only a starting point and that economics and appetite for risk plays a part in the decision of limits of insurance.
If $5 million of insurance cost $50,000 and the next $1 million is going to cost an additional $1,000, most banks would buy the extra million. If the next million is an additional $25,000, most banks would pass based on the perception that the value of the next million is not worth the cost.
Here is a sample of my recommended minimum limits for some cyber exposures:
Example events and coverage parts
Here are some sample loss scenarios with an indication where to look for coverage that can respond to the event:
Event: Bad guy hacks your system and steals money from the bank.
Potential coverage: The fraud-bond should include coverage for the bank’s loss of funds.
Event: Bad guy hacks your system and steals customer data.
Potential Coverage: Cyber-liability coverage should provide coverage for the costs of notifying customers. If a lawsuit results from the data breach then cyber-liability coverage responds to the suit.
Event: Bad guy hacks your customer’s computer and steals your customer’s money.
Potential Coverage: If the loss is to a commercial customer and the customer was not diligent in protecting access to funds, there may not be a loss to the bank’s assets. Then the bond would not be triggered. If the customer does sue, the cyber-liability policy should respond. If the suit results in a judgment that the loss was to the bank’s assets, then the fraud-bond, after the suit, may protect the bank.
Event: Bad guys convinces an unwary employee to transfer customer money fraudulently.
Potential Coverage: Computer fraud or fraudulent funds transfer section of the fraud-bond.
Event: Compromised debit cards are used fraudulently.
Potential Coverage: Debit card coverage in the fraud-bond. High deductible probably removes coverage for smaller losses.
Event: Customer account is hacked and the customer sues the bank for breach of privacy.
Potential Coverage: Cyber-liability insurance responds to the cost of defense and an award made against the bank in the lawsuit.
About the author
Scott Simmonds is an unbiased insurance consultant with a specialty in bank insurance issues. His website is www.BankInsuranceConsultant.com