20 Basic Questions Community Bankers Should Ask When Discussing Cyber Liability Protection 
Community Banks are under heightened regulatory pressure to safeguard their customer’s confidential data. Bank examiners are starting to focus attention to the bank’s cyber liability insurance policy, security breach expense coverages and security breach contingency plans.  According to the NetDiligence 2015 Cyber Claims Study, nearly 20% of reported breaches occurred within the financial services sector. 

Having a properly structured cyber liability and breach response expense insurance policy has never been more crucial given the increased risk exposure and various policy forms in the marketplace. These policies are not only written to cover entities, but also directors and officers. Below are 20 basic questions bankers should be asking when discussing cyber liability policy protection:

  1. What is our cyber liability policy limit and retention? Should the bank and board of directors be named in a security breach liability claim? Does this limit include defense cost, settlements and judgments?
  2. Is the cyber liability policy limit and retention in line with banks of our asset size, electronic banking capabilities and board room sensitivity to cyber liability risk exposure?  
  3. Will a paid cyber liability, electronic publishing or security breach expense claim erode the aggregate directors and officers liability policy limit for that policy period?  Vice versa on a paid directors and officers claim eroding cyber liability limit?
  4. Do we have coverage for a cyber liability claim when the claim is brought forth by a regulatory authority?  If so is the limit the same as the liability limit?  Is regulatory coverage defense cost only or does it also provide coverage for fines, penalties, judgements and settlements?
  5. Given the fact that the two key players after a security breach are general counsel and forensic evidence specialist, would the expense of a forensic evidence specialist be covered?  If so, is this limit shared with other expense limits and/or liability limit?
  6. What is the expense limit if we are ordered to provide customer notifications after a security breach? Does this expense limit cover voluntary notifications?
  7. What is the expense limit to provide credit monitoring and ID monitoring for all affected individuals?  
  8. What expense limit do we have if we need to hire a public relations firm to help restore our bank’s reputation in our trade territory after we have suffered a breach? Is this limit shared with any other expense limits?
  9. Are the expense limits in questions number five, six, seven and eight shared?  Do the expense limits also share limits with the cyber liability limit in question number one?  
  10. If our bank did have a cyber liability claim would the insurer choose our defense counsel? Or would the bank choose defense counsel with insurer approval?
  11. What exclusions could come into play that could prevent a cyber liability or breach response expense claim from being paid?
  12. What types of data losses are covered by the policy?  Non electronic data such as paper files?
  13. If a third party vendor that we have a written agreement with were to suffer a security breach and bank customers brought a liability claim against any insured would we have defense and liability coverage?
  14. Do we have coverage for electronic publishing of material via our website or social media? Other than trademark and copyright infringement, defamation, disparagement, libel, slander, plagiarism and false advertising what other exposures are covered under electronic publishing liability?
  15. Does the cyber liability insurer offer a cyber risk management website that can assist with IT policies and procedures, latest security breach threats, risk assessment tools, etc?
  16. Does the policy provide for a call center for affected individuals to contact after a data breach? If so what services are included at this call center?
  17. Does the insurer have prearranged agreements in place with companies than can assist in providing notifications, credit report and ID monitoring?
  18. Does the policy provide coverage for loss of business income and extra expense due to system interruption? If so, what is the limit, deductible and waiting period?
  19. Does the cyber liability policy provide payment or expenses for cyber threats or cyber extortion?
  20. What is the insurer track record of assisting their insured’s with data breaches?  How many data breaches have they been involved in?
Cyber liability risks and the policies that cover them are changing at a fast pace. Education is key; understanding how your policy reacts to today’s cyber threats is critical. You don’t want to discover at the time of a breach that the cyber liability policy that was purchased does not provide sufficient coverage.
If you are interested in finding out more about MBIS or the products available please contact Jeff Otteson at 608-217-5219 / jeffo@mbisllc.com or Adam Dawson at 952-857-2604 / adamd@mbisllc.com.