/ Risk Adjusted / • Implement an information security program; • Create and execute a crisis response plan; • Review third-party vendor relationships; • Evaluate and obtain cyber insurance. Performing a systems assessment is key. It provides understanding of where key information is located; who has access to that information; what system weaknesses exist; and what effect a breach would have on the bank. Without a plan, there is no way to properly evaluate whether a cyber insurance product will provide a bank with what it needs. So these proactive steps are a condition precedent for any consideration of cyber insurance.
Evaluating options At their core, cyber insurance policies are designed to cover three types of expenses associated with a data breach, depending on the type of policy chosen: 1. Response and investigation costs. 2. Litigation defense and damages. 3. Regulatory defense and penalties. Typical cyber policies in the current market provide “first-party” coverage, “third-party” coverage, or both. First-party coverage typically covers response costs, such as hiring professionals to assist in the investigation and response. Such experts can include attorneys to advise on notification and other legal requirements, public relations firms, crisis management firms, and computer forensic firms. This coverage also includes notifying affected customers; providing credit monitoring services; establishing call centers; creating security and incident response templates; and restoring lost data. Third-party coverage typically covers litigation expenses and damages. Certain third-party policies may provide coverage for costs of regulatory defense, fines, and punitive damages. There are many factors for a bank to consider when evaluating cyber insurance policies. These factors are largely specific to the business itself. Cost of premiums is certainly a driving factor, as are coverage options, risk complexity, and variance in carrier offerings. The lack of historical data and uniform coverage practices does not help ease any concerns that banks may have. Common areas for evaluation include: • What notification obligations a financial institution anticipates. 28
BANKING EXCHANGE May 2015
Cyber insurance is not a replacement for basic proactive steps that institutions should take to mitigate risk. It is merely a part—albeit an important one— of an information security plan • Whether a bank should obtain retroactive coverage for undetected breaches that occurred before the policy’s effective date. Because data breaches are often undetected for long periods of time, a bank may not have confidence that its systems have not been breached. • Whether a policy includes coverage for reputational harm or lost sales and profits relating to harm caused by a cyber attack, and what methodology an insurer uses to calculate lost sales and profits. • Whether a policy extends to third-party vendors that have access to sensitive bank information. • Whether exclusions that typically apply to general insurance policies continue to apply to cyber insurance policies. Examples include exclusions, such as those for
employment practices, antitrust violations, or ERISA violations—and even intentional acts by directors or officers. W he n s e le c t i ng c y b e r c o v e r a g e , banks should take a cross-disciplinary approach. The executive or team directing the project should consult several different departments, including those responsible for information technology, privacy, compliance, human resources, business operations, legal, and risk. By gathering information from these different areas, banks will be better able to create a comprehensive cyber risk profile with a greater understanding of their cybersecurity needs. In addition, f inancial institutions should look to fill any gaps in coverage under their existing general commercial liability policies with the available cyber insurance coverage options.
Trends in cyber risk The cybersecurity insurance industry is evolving at a rapid pace, and banks should soon begin to benefit from reduced premiums as competition increases in the market. However, because cyber insurance is still in its infancy, policy terms are often specifically tailored to the insured’s unique risks as a result of negotiations between the insurer and the insured. A bank should thus negotiate the precise coverage that meets its needs. The cyber insurance market, which