A significant number of financial institutions have been victimized in recent months and years. Among those publicly acknowledging breaches were J.P. Morgan Chase, Bank of America, Citigroup, Sovereign Bank and Royal Bank of Scotland (RBS). Numerous smaller institutions have also been targeted by hackers and phishers.
Total Bank (Miami, FL)
In July 2014, the bank notified 72,500 customers that their account information was potentially exposed after an unauthorized third party gained access to the bank’s computer network. Information obtained by this unauthorized third party included names, addresses, account numbers, account balances, Social Security numbers and driver’s license numbers. The bank is offering 12 months free of credit monitoring services for those that were affected.
St. Mary’s Bank (Manchester, NH)
A malware infestation was first detected on the computer of one of the employees of St. Mary’s Bank on May 26, 2013. A computer security consultancy was called in to analyze the breach. It found that 23 workstations at the bank were hijacked by the malware. The bank notified 115,775 customers in New Hampshire about the security breach.
Belmont Savings Bank (Boston, MA)
The bank agreed to pay a fine of $7,500 related to a consumer data breach case with the Massachusetts attorney general’s office. In May 2011, a bank employee left a backup tape on a desk rather than storing it. A cleaning crew disposed of the tape later that night. Names, Social Security numbers and account numbers were exposed. The tape contained the personal information of over 13,000 customers, but is believed to have been incinerated after disposal along with other sensitive materials from Belmont Savings Bank.
According to a 2013 study from cyber risk and data breach service provider NetDiligence, the average cost of a data breach is $307 per record, which includes notification costs, credit monitoring services, public relations expenses, forensics, regulatory fines and penalties, call center services, liability arising from customer lawsuits, and so on. Other studies, such as the Ponemon Institute’s 2014 Annual Cost of a Data Breach Study, show that the per capita cost of a data breach for financial institutions is $206 versus an overall all industry mean of $145 per record. Many of the costs of a data breach can be transferred to an insurance policy.
However, there is little measurable data on the lost value of one’s brand after a breach. An organization may suffer reputational damage that might cause a company’s stock price to plummet which is a loss in shareholder value, or lose significant amounts of customers. The aftershocks following a data breach can be particularly catastrophic for a financial institution. Financial institutions are built on the trust that they will safeguard their customers’ financial wellbeing in addition to confidential account information. The 2014 Ponemon study points out that one of the top two industries to have customer churn following a breach is the financial sector. The study also shows that U.S. companies have the highest lost business costs of any country, with an average of $3.3 million. Those lost business costs are calculated by “abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill.”
To help combat that loss of brand value and customer churn, new cyber insurance products – mostly available in the Lloyd’s of London marketplace – have started to tackle this risk directly. There are now policies that include “brand” or “reputation” damage coverage. In short, here is how this coverage would work:
This coverage is particularly intriguing for financial institutions, as they are held to a higher standard for protecting their customers’ information given their role in protecting their money. In the event of a data breach, banks and other financial institutions will likely lose customers that will no longer do business with the firm because they have lost trust in the company. Imagine if a financial institution lost its largest borrower or customer as a result of a data breach. Would the company be able to survive a catastrophic event?
In the absence of – or in addition to – the participation of an insurance solution, organizations can take other steps to try to reduce their reputational exposure. Understanding what information they hold and what it means is an important first step. They should prepare for the worst case scenario as well as realistic scenarios; there should be a plan ready to roll out quickly in the event of a data breach. The organization should utilize a team with different skill sets to formulize their plans, and then speak with one voice. Organizations should consider only talking about the situation after seeking the assistance of a public relations expert. Being transparent and honest about the circumstances is also critical. These data breaches are going to happen; how organizations handle them will determine how they are viewed by their customers going forward.
As a specialty broker, we can help you place even the most challenging cyber liability risks. AmWINS brokers have access to a variety of proprietary tools and resources to assist with marketing, negotiating coverage and providing the best insurance solutions in addition to claim advocacy. Add that to our unmatched market access and superior customer service, and we are well prepared to serve the needs of retail agents and their clients.
This article was authored by Joe Catalano of AmWINS Brokerage of Illinois. Joe is a member of AmWINS’ national Financial Services Practice.
Legal Disclaimer. Views expressed here do not constitute legal advice. The information contained herein is for general guidance of matter only and not for the purpose of providing legal advice. Discussion of insurance policy language is descriptive only. Every policy has different policy language. Coverage afforded under any insurance policy issued is subject to individual policy terms and conditions. Please refer to your policy for the actual language.
(c) 2017 AmWINS Group, Inc.
Over the last few years, the legal cannabis industry has seen rapid growth and had a significant impact on the U.S. economy. With states continuing to legalize its use, insurance needs for cannabis-related businesses are becoming a popular topic of discussion. This article examines the evolving cannabis industry by exploring five key issues impacting coverage.
Construction contract negotiations, which determine the kind and amount of insurance required for a construction project, can be time-consuming, complicated and frustrating. Project owners require contractors on a project to name the project owner as an additional insured on the contractor’s casualty insurance program. It's important that both project owners and contractors understand the coverage provided by these additional insured endorsements. This article discusses four common ISO additional insured endorsements related to commercial general liability policies purchased by contractors, including their limitations, conditions and exclusions.
A common complication during the claim process is the late reporting of claims. In some cases, a late claim can put the agent or broker's own E&O policy in jeopardy. There are many reasons for missing a reporting deadline; however, in most cases, they will not matter to the insurer or the courts. This article discusses typical claim reporting requirements, common causes of late reporting, and recommendations to mitigate the risk of late notice claim denials.
The theories of recovery, as well as the ensuing loss provisions, contained in property insurance policies are often complex and, at times, seemingly in conflict. Although a policy may not directly address these theories, their application by courts plays a significant role in the coverage determination process after the claim. It is essential that brokers understand the primary theories of recovery – Efficient Proximate Cause, the Concurrent Causation Doctrine, and the Anti-Concurrent Causation Doctrine – in order to navigate the challenging post-claim process and effectively serve their clients.
Ordinance or Law insurance coverage provides limited protection for costs associated with repairing, rebuilding, or constructing a structure when physical damage to the structure by a covered cause of loss triggers an ordinance or law. Compliance with ordinances and laws after a loss can add 50% or more to the cost of a claim. This article will help you educate your insureds on exclusions and limitations and help them take a proactive approach to their insurance program.
In 2017, the issue of sexual harassment – especially in the workplace – gained greater awareness as accusations of harassment by high-profile individuals were constantly in the news. In many cases, sexual harassment lawsuits seriously impacted businesses and their respective insurers. Employment Practices Liability Insurance not only provides protection against employee lawsuits, but can also help your clients mitigate their sexual harassment risks.