The weak spot in banks’ cyberinsurance

A clash between a small bank and its insurance company after a cyberattack may have a lot of banks double-checking the fine print of their coverage.

The $1.3 billion-asset National Bankshares in Blacksburg, Va., has been hit by two separate cyberattacks, in May 2016 and January 2017. Hackers tricked employees into opening emails that gave them access to bank debit card account numbers, which they used to steal $2.4 million by making unauthorized withdrawals at hundreds of ATMs nationwide.

The bank’s claim seeking full reimbursement of its customers’ money was rejected, so National Bankshares took its carrier to court.

It’s a situation that should concern any banking executives who think their companies have adequate insurance to recover from cyberattacks, said Allison Bender, an attorney at ZwillGen who advises companies on cybersecurity law. Not all insurance policies will provide the necessary level of reimbursements, and legal questions about the extent of coverage are uncharted waters.

“There’s a lot of variability about what’s covered and what isn’t covered,” said Bender, a former lawyer at the U.S. Department of Homeland Security. “This is an evolving area of the law.”

Cybersecurity insurance has been around for at least 20 years but has only recently been more widely adopted by financial institutions, said Thomas Bentz, an insurance attorney at Holland & Knight who advises companies on cybersecurity coverage.

The sharp rise in cyberattacks on banks and other financial companies has led more companies to purchase policies, Bentz said. Numerous banks have been hit by cyberattacks in recent months, including Cullen/Frost Bankers and BMO Financial and CIBC, which were both targeted by the same fraudsters.

Four big data breaches in recent years by number of records stolen

Insurance coverage is just one facet of the increased attention that banks and their regulators are placing on cybersecurity. The Securities and Exchange Commission has told banks and other companies to publicly disclose breaches as soon as possible to protect investors from financial losses. Moreover, banks are spending hundreds of millions of dollars to upgrade their technological defenses.

The disagreement between National Bankshares and Everest National Insurance involves the question of which of two policy riders should apply, one for computer and electronic crimes and another for crimes used through fraudulently obtained debit cards.

National Bankshares argues in its lawsuit that the computer and electronic crimes rider is applicable because that’s how the hackers got into their network, and that it should receive coverage for its full losses. But Everest denied that claim and said that only the debit-card rider should apply, which would limit the insurance payout to $50,000.

“The company strongly believes they are insured for and are entitled to recover the full amount of the losses from the breaches, less the applicable deductible, and that litigation will ultimately resolve the case in its favor,” National Bankshares said in an April 26 news release.

“I would like to reassure our shareholders and our customers that we take cybersecurity very seriously,” Brad Denardo, CEO of National Bankshares, said in the release. “We have taken the necessary steps to avoid cyber intrusions of the sort we experienced in 2016 and 2017, and we continually work to monitor and prevent future threats.”

Denardo declined to make additional comments. A call made to attorneys for Everest was not returned, but Everest said in its response to the lawsuit that it made the correct determination on the bank’s claims.

Some banks may not realize that their insurance policies are inadequate to cover cybersecurity-related losses such as stolen funds or operating costs associated with recovering from the attack, Bentz said. Simply attaching riders to a general liability policy typically does not provide the necessary protection.

“It’s very common for banks to not have a cybersecurity policy, or to just get extras added to a general policy,” Bentz said. “But if you don’t buy coverage that addresses these things head-on, you’re running a lot more risk.”

Policies that specifically cover cybersecurity events are generally advised. The American Bankers Association recommends two different types of coverage to its members, depending on the state where the bank is located. One focuses on cyber and privacy exposures and provides coverages specifically for data breaches and indemnifies a bank for business interruptions. The second is geared toward coverage for events arising from the use of online banking platforms.

“Everyone I have talked to has” insurance, said Paul Benda, senior vice president of risk management policy at the ABA. “I think everyone is pretty aware of the risks. Whether they have the right policy is another question.”

Cybersecurity insurance has recently come in handy for other financial services companies. Equifax has received $95 million from the cybersecurity portion of an errors-and-omissions insurance policy, Chief Financial Officer John Gamble said on Thursday during the credit bureau’s earnings conference call.

Equifax has $125 million of total coverage for cybersecurity incidents “and we continue to expect to make claims to fully utilize the policy,” Gamble said. Still, that will only cover a portion of the total $314 million of expenses related to the Equifax breach.

National Bankshares is suing its insurance company because it probably does not have the option of suing its technology vendors, Bentz said. Most tech vendor contracts don’t allow users to pursue litigation as a means to settle disputes, even if it appears there was a software failure.

“When Microsoft or IBM comes in and provides the software, they’re not going allow you to sue them as part of the arrangement,” Bentz said. “You either take the contract or leave it.”

Short of suing your insurance company or tech vendor, there are better and safer ways for chief risk officers to ensure their banks have sufficient protection, Bender said.

“I would review your insurance policies once a year,” she said. “Get someone outside your organization to read it and help you better manage your risk.”

For reprint and licensing requests for this article, click here.
Cyber security Cyber attacks Lawsuits Risk management Insurance Community banking Bank technology
MORE FROM AMERICAN BANKER