The threat to banks from a cyber attack has increased as access to malicious software has grown and bad actors have refined the sophistication with which they deploy their attacks. The pandemic-induced shift to remote work and increased electronic communications and commerce merely compounds the risk.
“There’s not a week that goes by that we are not getting calls from one of our community banks that may have suffered a breach of some nature,” said Kevin Christians, executive vice president of ICBM Insurance , which offers cyber insurance coverage in addition to property and casualty insurance, mortgage insurance, directors and officers liability insurance, and financial institution bonds — all custom-designed for community banks. Protecting the bank against a cyber attack can be complicated, he said, and requires a high level of expertise and experience.
“A breach can happen in a variety of ways,” Christians said; depending on the forensics surrounding the attack, insurance coverage may be triggered on different insurance policies the bank may have in effect at the time. “We spend a lot of time reviewing cyber policies to make sure the limits and coverages are adequate.” Our goal and responsibility is to always put the bankers in a position to make an informed decision about their coverages.
A key component of comprehensive cyber insurance protection, he said, is First Party Coverage.
Protecting home base
An example of how important First Party Coverage can be is the following cyber claim that occurred to one of its community banks. It started when an HR employee downloaded resumes submitted for an open position at the bank. One of those resumes delivered had malware attached to it. The same terminal was also used for ordering credit reports on customers. A loan officer using that terminal signed into the bank’s credit reporting agency site to secure a credit report on a customer which provided the intruder with login credentials, which were used extensively during the weekend that followed.
When a customer living in Indiana called the bank on Monday morning wondering why the bank had ordered a credit report on him, the bank knew it had been breached. “They brought in their IT person and their next call was to me,” Christians recounted.
Christians set his customer up with a breach coach (another name for a cyber attorney). The breach coach assisted the bank in drafting the appropriate notifications. In this case, customers in more than three dozen states had been impacted and the cyber regulations are different from state to state. The response team also set up a call-in center and credit monitoring, and they engaged a public relations firm to handle damage control.
Not a single customer brought legal action against the bank as a result of the breach, yet the response from the bank, “the breach coach, the forensics, the PR, the credit monitoring … cost between $150,000 and $200,000,” Christians said. “This is why First Party Coverage as part of a cyber policy is extremely important coverage to have for community banks.”
Christians characterized the breach as “small” yet for a small community bank, a $200,000 hit leaves a bruise.
Examining cyber coverage
It’s not just banks being breached. Service providers are attacked regularly too, said Mike Johnson, a former banker who is the Honeywell /James J. Reiner Chair in Security Technologies at the University of Minnesota. The velocity and number of attacks are increasing, added Joel Williquette, senior vice president of operational risk policy for the Independent Community Bankers of America. “Community banks might have felt they were under the radar in the past, but in reality, everybody was just being attacked less.”
In this environment, an incident response plan is necessary, even mandated by auditors and regulators. Part of such a plan is determining who gets called first when a breach comes to light. All of the insurance companies ICBM Insurance represents have online immediate access/contact information as part of their cyber policy. Christians encouraged bankers to make that first call to him or his colleague Kevin Burr, senior vice president of ICBM Insurance so they can provide guidance and assistance during the notification process. “A response is extremely time sensitive,” Christians said. “We vet all of our insurance companies to make sure carriers have negotiated contracts in place with the various firms that are needed when a cyber breach occurs at a community bank.”
Depending on the nature of the breach, a claim could be triggered on the bank’s financial institution bond (if there are financial losses) or with its D&O policy (if there’s directors or officers named in litigation) and the cyber policy. There’s “a lot done upfront” when crafting appropriate coverage, Christians explained, as “we include all state-of-the-art insurance coverage endorsements available to our customers policies. The third party liability coverage is embedded in the cyber polity to protect from third-party claims, and it does tie to the notification process as part of that coverage is regulatory defense coverage.”
When a breach occurs the community bank is required to notify depending on the forensics/circumstances. The notification must be in compliance with the regulatory agency that oversees cyber activity in each state an impacted person resides in. Each state is different and currently the Attorney General’s office and or the FFEIC oversee cyber compliance. Compliance with those notifications, Christians said, is why the assistance of a breach coach is critical for the community bank to have access to.
A cyber-attack preventative for banks, especially in this era of remote work, is multi-factor authentication. ICBM Insurance is involved in the Traveler’s Insurance National Advisory Council for community banks, Christians said. “We’re one of six or seven agencies in the country with a seat at that table,” he said. “Travelers, and rightfully so, has chosen to take an initiative dealing specifically with multi-factor authentication.”
Christians described multi-factor authentication as “something you know (username or password), something you have (text message or text-back requirement), and something you are (fingerprint or retina scan). Multi-factor authentication absolutely needs to be present on any remote network access, remote access to emails, and privileged administrative access into your network,” Christians advised. “Administrative access into the network is the area most overlooked.”
By bankers for bankers
“We’re talking to bankers every day and they’re being deluged with information on ransomware,” said Burr. “A cyber breach is a cyber breach, sure; but it’s different in a bank than it is in a grocery store.”
Both Burr and Christians are former bankers. Christians founded the agency a quarter century ago through the Community Bankers of Wisconsin. ICBM bought 70 percent of the agency 10 years ago and acquired the remaining piece when the CBW merged into the Wisconsin Bankers Association.
The idea was to bring community bankers a choice of companies when deciding on insurance. More valuable than choice, perhaps, is the valued insights and the expertise the team brings to their craft. “The other part is that we are owned by the association,” Burr said. “Everything we do is to support community banking. We’re helping them exist.”
Not just exist, but thrive in an era where the window for bad actors seems to be opening wider each and every day. “The way we structure these policies is nowhere near what other people are looking at because we have the background and the knowledge that a lot of them don’t have,” Christians said. “You want to align yourself with someone who is going to be your advocate and be there when you have a problem. ICBM Insurance provides insurance to community banks and we do it very well.”