You may not know it but wrestling is considered to be the oldest competitive sport on the planet. It reportedly shows up on cave drawings dating back to 3,000 BC and in the Olympics around 708 BC. That is certainly an old sport, if not the oldest.
Today we focus on how community bank technology teams are always wrestling with hackers who are working to take them down. Hackers seem to constantly find new ways to break into computer systems, so countermeasures are constantly evolving. This is an evolutionary cage match and neither hacker nor banker shows any signs of slowing down.
You can do your best to keep up with the latest, greatest, and most secure protective measures, but no matter how good, they aren't perfect. The blunt fact is that most banks will someday be hacked, so cyber risk insurance may be something to think about.
Unfortunately, cyber risk insurance policies aren't standardized, and the market is changing rapidly. Insurers don't even agree on what a policy should cover, what might trigger coverage, or even the definitions of basic policy terms. As a result, the coverage of one issuer might be very different from that of another. You'll need to carefully review the options, consider your needs and budget before you buy a policy.
As with all insurance, the first stop is figuring out what coverage you need. Most cyber risk issuers offer roughly 10 kinds of coverage, though they may label them differently. Across the market, options include coverage for forensic investigation, online defamation, business interruption, recovery expenses, data loss and restoration, cyber extortion, and improper electronic transfer of funds, to name a few. Not every bank needs (or can get) all of these types of coverage, so choose carefully but prudently.
Once you've selected your policies, make sure they work together, as cyber insurance can overlap with other types of insurance. That can surface the question of which policy is primary when things hit the fan, as well as how losses should be allocated between multiple policies, what deductible a bank might pay on a claim, reporting requirements, and which policy governs the choice of and payment to an attorney or other vendor.
Keep a particularly keen eye out for the differences and potential overlaps between cyber insurance and coverage for directors and officers, errors and commissions, commercial general liability, fiduciary liability and other insurance coverage. You may discover that one of these policy types already covers one or more of your cyber coverage needs. If you still elect to buy coverage that fills both overlapping and standalone concerns, you will need to be clear on which coverage is primary, so you're not someday caught between two insurer and any necessary payments to be made.
Last but not least, determine whether a prospective cyber risk policy includes the insurance company's duty to defend your bank. That characteristic is more common than not and at first glance it seems like a good thing. You might be glad to have an insurance company go to bat for you -- or you might prefer to control any defense. Decide now and purchase accordingly.
