What's the best way to hedge your bets against the inevitable attack?
According to a May presentation by Mary Jo White, chair of the U.S. Securities and Exchange Commission, cybersecurity is the biggest risk facing the financial system. This pronouncement came on the heels of an $81 million cyber theft from the Bangladesh central bank.
This risk is not an abstract one—not something credit unions merely read about in the news. According to Jim Hunt, staff underwriting specialist at Madison, Wis.-based insurer CUNA Mutual Group, a CUES Supplier member and strategic provider, if a credit union’s systems haven’t been breached, they probably will be soon. In fact, any security CUs may feel is probably illusory.
“I hate to say it, but if you haven’t been hacked, you probably don’t realize that you have,” he says. “Seven in 10 companies that have been breached are told that they’ve been breached by an outside party. They don’t discover it themselves.”
That’s why cyber-related insurance coverage is one of the fastest-growing and fastest-changing areas in the insurance world right now. This type of insurance isn’t yet required of credit unions by law, but Mary Dunn, an attorney at CU Counsel, PLLC, a credit union law firm in Washington, D.C., says that may change soon.
Dunn says the Financial Services Sector Coordinating Council and National Credit Union Administration have both released a great deal of guidance on the topic, and recent statements from the Federal Reserve Board of Governors hint that new regulations may be in the wings.
From the insurer’s standpoint, cyber risk is a multifaceted problem. Carriers are still trying to figure out how to price related coverage. With many other types of risk, underwriters have a lot of history to base their pricing on, but cyber exposures are still new and evolving.
“If a hacker gets in and they access 10 records vs. 100 thousand records, if they access public vs. nonpublic information, if they access accounts and passwords, these are all very different types of events,” says Jeff Chesky, president/CEO of Insuritas, an East Windsor, Conn., insurance agency outsourcing firm for financial institutions. “It’s a very, very complex risk to underwrite. So we’re watching the carriers working very hard to design policies and price them to help the credit unions manage their cyber risk. The exposure for cyber risk is only going to get bigger and more complicated in the years ahead.”
On the other hand, one thing about cyber risk is dead simple: It has little or nothing to do with physical location.
“With cyber theft, the need is everywhere,” Chesky says. “It’s not as though if you’re a bank operating in New York City, you get a heightened exposure. You could be a credit union in North Dakota, and if you’ve got 100,000 customers there, you’ve got a server farm, and you’ve got passwords and security authentication, you’re just as target-rich as the credit union that’s based in New York City.”
Coverage by Category
Hunt says the very first priority when it comes to cybersecurity insurance should be security breach liability. It falls under the category of management liability, but it’s a special type.
“Liability is if you get sued because of what happened,” he explains. “A member, or more than one member, will sue you because [they think] you should have taken more precautions with their data. That’s why security breach liability is there.”
A close second is security breach expenses—the cost of doing forensics, sending letters to your members to explain what happened, and so on.
“When I have a data breach as a credit union, I have to do some investigation,” says Gulfport, Miss.-based independent insurance expert Scott Simmonds, CPCU, ARM, CMC. “Say I learned today that I had a data breach this morning. I have to figure out what the guy did when he got in there. How many names did he access? What did he download? Did he get credit card information? Did he get Social Security numbers? What did he get? So there’s an expense in that.”
CUs also have to notify members of the breach, as designated by credit union regulation and state and federal law. “We call that mitigation expense, and that also is a part of most cyber liability policies,” Simmonds says.
And then there are a variety of other exposures most credit unions wouldn’t automatically think about—related to public relations, re-programming computers and rebuilding networks, loss of business income, re-issuing of plastic cards, and protection against extortion threats and ransomware (code that is planted by bad actors, who threaten to activate it and lock up the system unless a certain amount is paid).
Confused? Chesky says it’s simplest to look at cyber security coverage in terms of two components: the costs of responding to the intrusion, and rehabilitation costs. The latter, unexpectedly, can be a much bigger deal.
“That’s what most people worry about in their coverages; they want to be sure their coverages provide an adequate dollar amount to help people monitor their credit for some extended period of time to see if there are any bad acts being perpetrated by someone hacking their nonpublic information,” he says. “Typically, that will include providing a year’s membership in Lifelock (Tempe, Ariz.) or (one of the other identification verification services), so you get real-time feedback if someone’s trying to buy appliances in Russia. So that’s another cost, and typically the policy will cover either a certain dollar amount or a certain service level.”
That kind of risk is easy to put a number on. Not so the risk to credit unions’ good name.
“The carriers struggle with pricing reputation risk,” Chesky says. “What is the impact on the credit union—not only the direct impact to the members that have had their data hacked, but what’s the impact on the recognition of the credit union as it tries to survive?
“People may pull their deposits and say, ‘I’ve got to go to a place that’s safer.’ That’s reputation risk, and it’s very early in the business of underwriting it when it comes to cyber risk. But it will get more mature over the next several years.”
Buying a Business Backstop
Currently, there are two ways to purchase cyber policies: as a standalone policy, or as part of the credit union’s management and professional liability policy. CUNA Mutual sells the former, Hunt says, and that’s also what he advocates personally.
“Well, I’m a little prejudiced, but there are reasons for it,” he laughs. “If you have the standalone cyber policy, the limits aren’t eroded by any other claims. But if you have cyber included in your management and professional liability package, you have an aggregate limit, which can be eroded by another claim, such as an E&O (errors and omissions) claim or a fiduciary liability claim. If something like that happens, you might not have anything left for your cyber.”
Dunn says a CU’s choice of policy may vary depending on how it does business.
“Every institution may have a different need for coverage, even institutions of the same size, because it’s going to depend on their operations,” she explains. “For example, if you’re doing most of your transactions online, if you’re allowing members to apply for loans and credit cards online, you’re going to have one level of need for insurance vs. somebody who doesn’t offer the full range of services online.”
Hunt says, by and large, cyber theft policies are affordable. But that’s almost beside the point, since he says credit unions can’t afford to go without cyber coverage. Anyway, it’s part of just about every standard package underwritten for credit unions these days.
At this point, insurers aren’t asking for credit unions to demonstrate a certain level of cybersecurity in order to be insurable. The institutions just provide the carrier with their name, assets, and membership information. There’s no field audit, no penetration testing, before the insurers deliver the pricing.
“The reason for that is because the insurance carriers know that the credit unions are already fairly highly regulated,” Chesky says. “And they know that they’re all using third-party vendors to manage their online banking sites. If they’re partnering with a Jack Henry or a Fiserv, those companies are big public companies that have got a lot of expertise to manage cyber risk that the internal people at a credit union wouldn’t have.
“Now, I wouldn’t be surprised if down the road the underwriters would be looking for certain things that may allow them to price more appropriately. I wouldn’t be surprised if down the road they look at practices and say, ‘This practice means you’ll pay a lower price because your ecosystem is more secure,’ or ‘this practice is more risky, so you’ll pay more.’”
What should CUs do to hedge their bets against these future developments (not to mention the threat of being hacked)? The answer is basic due diligence: Ask third-party vendors to deliver coverage pages showing that they have adequate levels of cyber theft insurance in force. Keep training current. Talk with insurers’ risk management departments and understand best practices. And, above all, encrypt all data, both in storage and in transit.
“That’s expensive, and we realize that,” Hunt says. “But in many states, the laws are such that if you encrypt, you have done what is expected. If you don’t encrypt, the state will say, ‘Hey, why wouldn’t you have taken these reasonable measures?’ There, you’re subject to having somebody sue you.”
No Shame in a Claim
Should the worst happen—and the odds are that it will—credit unions need to file a claim with the insurer, describing what has been hacked and what actions are being taken. It’s important not to delay. Even three or four days can make a difference.
“What needs to be done is to contact the insurance company as soon as possible,” Hunt says. “As soon as we get that call, we have third-party vendors that we use that will help mitigate that claim and do forensics to see what has been corrupted in your system, if anything, as well as what personal and identifiable information has been taken, and how much.”
Why is this information important? CUs will send it to members who are directly affected by the breach, or to every member, in accordance with agency regulations and state and federal laws. Sending it only to affected members when possible will help reduce reputation damage.
But the clock is ticking: The time limits for notifying affected parties vary by state, so if a credit union has members in 40 states, it will have to meet 40 deadlines.
“You have to have a lot of knowledge and have a lot of partners to work with to get this done quickly,” Hunt emphasizes. “You get the proper notice out to the members who have been hacked. Let them know what is available for them and what the credit union will be doing.”
Insurance will cover these notifications, but the clock starts ticking as soon as someone at the credit union knows about the incident. So take the information seriously, pass it along, and get the process moving. While being the victim of cyber crime can and does affect the CU’s reputation, the other side of the coin is that it literally happens to everyone. In short: It is a common risk that must be addressed, and insurers are getting better and better at dealing with it.
Insuring Against Active Shooter Events
Much like cyber theft, the phenomenon of “active shooters” is on the rise, and credit unions aren’t exempt.
“Active shooter incidents have increased tremendously, about 24 percent, since 2000,” says Jim Hunt, staff underwriting specialist at Madison, Wisconsin-based insurer CUNA Mutual Group, a CUES Supplier member and strategic provider. “Unfortunately, most of the active shooter incidents are at places (malls, schools) where the public congregates. We have not seen, thank goodness, increases in active shooters in credit unions. The only active shooter that would specifically go after a credit union would maybe be a disgruntled employee, or a significant other of a credit union employee. Thankfully, becoming an active shooter has not been a reaction to date” from a disgruntled member.
Nevertheless, it could happen, and CUs would be remiss not to protect themselves, their employees, and their members. They can do so by creating policies and procedures and by undergoing regular training.
No major insurer offers anything explicitly called active shooter insurance but, the good news is, the exposures associated with such an incident should be covered under the policies a conscientious CU already carries.
Gulfport, Miss.-based independent insurance expert Scott Simmonds, CPCU, ARM, CMC, says employee injuries that result from active shooter situations are covered under the institution’s standard lines of insurance—through the worker’s compensation policy. In most states, he says, that would include treatment for emotional trauma. If members are injured, that’s part of the CU’s standard lines of insurance, too; it would be covered under general liability.
If members feel the credit union was in some way responsible or did not do enough to prevent the incident, they may choose to sue the institution. In that case, Hunt says, management and professional liability coverage would respond.
“That’s what we suggest, and what 98 percent of credit unions have,” he says. “Anybody can sue for anything. Management and professional liability insurance protects the credit union in the event that that’s what they want to do.”
Bullet holes in walls, computers, and other CU property would be covered by the property insurance policy, Simmonds says.
Hunt says it’s not so much a matter of seeking out a set of policies that covers these eventualities. They should be covered. But he says credit unions should be vigilant that exposures from active shooter incidents are not excluded in the fine print.
“It would be a rare policy that doesn’t cover it,” he says. “Most of those policies start off broadly. But every policy has exclusions. The only policy that doesn’t is worker’s compensation, because it’s mandated by the states.”
Jamie Swedberg is a freelance writer based in Georgia.