Cyberattacks are a major operational risk for the financial sector of the economy, according to the Financial Stability Oversight Council's 2014 annual report. A massive cyberattack could "undermine the confidence of consumers and investors, and ultimately, threaten the stability of the financial system," according to the report. Because of the financial industry's increasing dependence on other sectors, "including energy, transportation and telecommunications," banks are vulnerable to both direct cyberattacks and attacks on companies in other industries. Last year's Target data breach offers one compelling example of how a cyberattack outside the financial industry can lead banks to suffer big losses.
Given the likelihood of even bigger and more catastrophic cyberattacks in the future, a growing number of banks are buying insurance policies to cover such an event. But if and when that day comes, insurance companies may not be ready to pay up.
Many insurance companies seem to understand that in order to sell policies that protect banks and other firms against cybercrime, they need to be seen paying such claims. Some may think that by selling policies with high deductibles and low coverage limits and paying relatively small claims, they are controlling for risk from cyber-assaults by off-loading a large share of the risk onto policyholders.
But these measures do not control for risk from cyberattacks at a truly catastrophic level — the kind envisioned in a number of government publications, including the FSOC report, the White House's 2013 Executive Order 13636 entitled "Improving Critical Infrastructure Cybersecurity" and the National Institute of Standards and Technology's risk modeling framework designed to help companies assess and set their risk tolerance for cyberattacks. These reports imagine an attack on the power grid that shuts down big money-center banks, stopping all inter-bank transactions and bringing the American economy — and quite possibly the global economy — to an abrupt halt.
An underwriter selling many relatively low-limits policies to a lot of banks would be severely impacted by this kind of attack, regardless of low limits and high self-insured retentions. Insurance companies now trumpeting their prompt payment of cyber-loss claims may pull in their horns when a serious, broad-scope attack finally takes place.
Large banks looking for cyber-risk insurance sometimes face markets unwilling or unable to commit the capital necessary to meet policyholders' needs. But there are signs that, capacity aside, underwriters fear the possibility of a large-scale cyberattack that would cause major losses across the financial sector. This fear, to the extent that it keeps high-limits policies out of the hands of the banks that need them, may serve as a warning that the insurance industry does not yet have its arms around the risk cybercrime poses to the financial services industry.
If the financial services industry cannot count on insurance markets to provide protection against a major cyberattack — either because sufficient coverage is unavailable or because ineffective underwriting creates a risk that claims will not be paid when they occur — the alternative is self-reliance. The best tool for avoiding an uninsured catastrophe is to beat cyber criminals at their own game through better data security. Yet experts constantly warn that no security protocols are sure to fend off a determined hacker. It may be naïve to rely solely upon good security in this threat environment.
Another form of self-reliance is good risk management. In a perfect world, this would inform banks of their cyber-loss exposure ahead of time so security measures and insurance programs can be tailored to meet it. But this is not a perfect world, and not all banks will measure this risk exposure with any degree of precision.
The ultimate form of self-reliance against an uninsured or ineffectively insured cyberattack would be careful self-insurance, in which alternative vehicles such as captive insurance companies are used to dilute exposure. (Captive insurance companies are subsidiaries of non-insurance firms created to help protect their parent organizations against risk.) These methods of transferring risk may be limited by the same capacity barriers found in standard insurance markets, although reinsuring a cyber-loss exposure covered by a captive might offer better risk-spreading opportunities.
A bank's best strategy for protecting itself from disastrous cyber risk will be a combination of vigilant security, alternative insurance vehicles, and the many cyber-insurance products available to transfer this kind of risk away from its balance sheet. The bank that is best prepared will have coordinated these measures at the executive suite level, with a clear vision of the scope of the risk. The need for the attention of a bank's senior management and board has never been more urgent.
David E. Wood is co-managing shareholder in the Ventura, Calif., office of law firm Anderson Kill. He represents corporate policyholders, including financial institutions, in insurance recovery matters involving primary liability and errors and omissions coverage, professional liability insurance, crime coverage, environmental coverage, primary-excess disputes, and rights of additional insureds. Email David at firstname.lastname@example.org.