Why cyber insurance is taking on new urgency for credit unions
The need for cyber insurance is taking on newfound urgency with threats continuing to increase and a record number of credit union employees working from home due to the coronavirus.
When COVID-19 began to spread, credit unions quickly pivoted to remote work for many staffers. Working from home poses its own challenges, however, as credit union employees access internal systems through home networks that may not be as secure as those at the office – a threat the National Credit Union Administration warned of in the early days of the pandemic.
As fraudsters look to attack vulnerable offsite networks, now is the time for credit unions to ensure their employees’ remote workspaces are protected.
“With people working remotely, you want to make sure that the insurance policy covers those work-from-home working environments,” said Anthony Dagostino, executive vice president of global cyber and technology practice at Lockton Companies, the world’s largest independent insurance brokerage.
Despite cyber risks continuing to increase and credit unions being aware of the threat, some financial institutions still choose to forgo cyber insurance. Beazley Insurance, a partner of CUNA Mutual Group, saw a 150% increase in ransomware attacks last year compared with 2018. Not only has the frequency of attacks risen, but costs associated with those attacks continue to climb higher. Only a few years ago, ransomware demands – which are frequently paid off via cryptocurrency – rested in the ballpark of $15,000 to $20,000, but now experts are seeing frequent demands upwards of $100,000 and an average of more than $84,000.
That puts credit unions and other institutions in a bind in the event that member data and personally identifiable information become compromised. And the financial hit could be even tougher these days, with more loans in forbearance and the possibility for increased delinquencies due to the pandemic.
“Ninety-five percent of insurance policies will most likely cover the scenario of working from home, working on your home network or working from your personal computer — it’s that 5% of policies where it might be excluded, so we really urge credit unions to look at their insurance policy closely,” said Dagostino.
The phenomenon is sometimes referred to as a trapdoor, since it lurks in the fine print of an institution’s own insurance policy. Trapdoors can take the form of either sublimits – limitations for specific type of loss – or total exclusions, in which the insurance carrier simply does not provide coverage. Credit unions can leave themselves vulnerable if language within the policy is too vague.
Trapdoors could also lead to coverage misunderstandings, in which credit union management may believe the institution is insured for a certain type of incident only to learn that an exclusion applies and limits coverage. For example, a policy may allow $100,000 worth of coverage for breaches, but may have a sub-limit of $50,000 for more specific incidents such as losses incurred from business email compromise.
“It’s very difficult to tear out where those [trapdoors] are,” said Scott Godes, a partner at Barnes & Thornburg. “The challenge for a financial institution when trying to evaluate where those trapdoors lie and where the sub-limits apply is making sure that the insurance company is even telling them about it in the first place.”
Things can become even more challenging when the risk environment evolves beyond the details in the original agreement between a credit union and its insurance provider. When purchasing insurance, Godes explained, institutions are bound where insurance carriers agree to apply certain types of coverage, and policyholders may not see their contract for months and will follow insurance binders in the interim. Godes urged credit unions to request to see the contract’s final language in order to make room for additional negotiations in the event carriers can remove exclusions or change language that may limit what an institution can claim.
“I’ve heard of instances where credit unions have had a breach of some sort [...] that weren’t covered because they went with a cheaper insurance,” said Wade Brink, president and CEO of Community Connect Federal Credit Union. “I think it falls on credit union management to make sure that they’re covered.”
The $20 million-asset institution first contracted for cyber insurance from Beazley in 2106, Brink said, in order to have an expert manage the credit union’s cyber risks rather than tackling it alone.
One provision included in the Titusville, Pa.-based credit union’s coverage is employee misuse of data, such as if an employee falls victim to a phishing attack. Brink declined to disclose specifics on other items covered, citing security reasons.
“It covers a lot that I’m surprised it covers,” he said.
Despite the potential for protecting financial institutions from significant risks as the result of a breach, no federal banking regulators currently require FIs to carry cyber insurance.
CUNA Mutual Group declined to share specifics on how many of its client credit unions carry cyber insurance. Representatives from Beazley did not respond to a request for comment.
Data from S&P Global Market Intelligence and Deloitte show modest growth in recent years for stand-alone cyber policy premiums, and credit unions have only largely begun to indicate interest in those protections within the last decade, according to CUNA Mutual.
"We got some traction in 2010, but it took some time for folks to really understand cyber insurance," said Jay Isaacson, vice president of P&C Solutions at CUNA Mutual. “Like any new insurance coverage, it takes a while to understand the potential benefit to an organization.”