As all types of online banking activity increases, so do banks’ security risks — and their need for specialized insurance coverage, industry sources said.

“Security-of-data issues are of a whole other magnitude” for banks than for any other industry because of the amount of information banks have about their customers and the sensitive nature of that data, said Emily Q. Freeman, practice leader for e-business risk solutions at Marsh Inc., a New York insurance broker owned by Marsh & McLennan Cos.

The number of people who bank online regularly is expected to grow from about eight million now to 24.2 million by 2004, according to GartnerGroup, a technology research and consulting firm in Stamford, Conn.

With increasing volume comes greater potential for customer security breaches, Ms. Freeman said. “Instead of going through a wastebasket and getting one name, someone can now hack a Web site and get 300,000 names. That’s the scope of what we’re talking about,” she said.

Banks whose online security is compromised face loss of funds and customers, lawsuits, and regulatory action, Ms. Freeman said. Major banks recognize the gravity of the security issue, but the financial services industry as a whole needs to devote more resources to addressing the problem.

The possibility of such breaches is a sensitive topic for many banks. Several with a sizable online presence, including NetBank, Wells Fargo & Co., and National City Corp., declined to be interviewed for this article and gave security concerns as the reason.

Gayle Wellborn, senior vice president and director of consumer advocacy for e-commerce at First Union Corp., said that online aggregators pose one of the biggest risks.

First Union, for one, is pushing the banking industry to develop technological and security standards for aggregators.

Ms. Wellborn is chairman of the Banking Industry Technology Secretariat, a group of 200 people from 80 organizations that is working to develop voluntary standard procedures for privacy and security, as well as to examine the regulatory and legal environment of aggregators. She said the group hopes to publish recommendations by the end of March that will spell out the security measures financial services companies should incorporate into their Web sites.

Tom Bartolomeo, First Union’s senior vice president of information security, said online security insurance might be a good idea but that it is difficult for insurance companies — especially in a constantly changing environment — to determine how much and what kind of coverage is proper.

Charlotte Birch, a spokeswoman for the American Bankers Association, said that bankers “are just starting to become aware of the need for additional coverage.” Groups such as the ABA have been trying to educate bankers about the risks of online commerce and have been recommending insurance products, she said.

Gina Juhnke, a product manager at Progressive Casualty Insurance Co. in Mayfield Village, Ohio, the provider of liability insurance to members of the ABA, said that though many insurers offer e-commerce risk policies, banks need a specialized product.

The rider Progressive currently offers ABA members covers some direct losses from computer hacking and fraud but does not offer coverage for lawsuits filed by third parties. Ms. Juhnke said that Progressive plans to introduce an Internet banking liability insurance policy in June that will cover additional risks.

Most banks already have a financial institution bond that covers some Internet risks, including hackers, computer viruses, and employee theft. The new Progressive policy will not overlap with that coverage, Ms. Juhnke said, or insure risks bankers do not face. For example, she said, banks do not need business interruption coverage, which replaces income lost when a Web site goes down for a long period, because customers can use branches, the phone, or an ATM.

When looking at a bank, Ms. Juhnke said, Progressive wants to make sure its contracts with Web service vendors do not hold the bank liable for a vendor’s negligence.

In addition, she said, the bank needs to communicate to vendors its privacy policy and how it is enforced because vendors will be responsible for protecting the privacy of customers.

Chubb Group’s CyberSecurity product, introduced Jan. 29, specifically covers a bank’s Internet risks, including: customer data theft; lost income and expenses caused by the denial or impairment of services; and losses related to fraudulent e-signatures and e-mail, vandalism, or the costs of responding to a threat of vandalism.

Tracey Vispoli, cyber-solutions manager in Chubb’s financial institutions department in Warren, N.J., said the product fills the gaps left by the computer crime policies and fiduciary bonds that many banks already own.

“Today, network security is a core competency,” Ms. Vispoli said. “Without it, you don’t exist.”


From Our Archive

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.