Jack Henry & Associates : A Wake-Up Call – The Changing Landscape of Cyber Insurance for Financial Institutions

An Observation

As the Business Continuity Strategy Manager for the Gladiator division of Jack Henry & Associates, I work with many financial institutions (FIs) to develop, test, and execute protocols in the event of an unplanned outage. For the last few years, the focus of most FIs has been on planning and testing incident response plans (IRPs) for cyberattacks.

A key element in mitigating a cyberattack is knowing what is covered - and not covered - in the FI's cyber insurance policy. Through our exercises, FIs are put in a position to examine their cyber policy, and in many cases they are surprised that their coverage falls short in protecting them in today's environment. Some policies are based on an add-on, or endorsement, to an existing policy. This includes fraud policies and general commercial liability insurance, which covers bodily injuries and property damage resulting from an institution's products and services or operations. These types of policies do not address all of the costs you could potentially incur from an actual breach.

When FIs address this with their carriers, they're made aware of changes required for a more protective policy. And because policies are reassessed every 12 months, they could incur additional changes or restrictions. It's clear that the cyber insurance landscape is undergoing drastic changes based on the elevated risk factors associated with handling a breach.

Higher Cyber Insurance Costs

FIs should be prepared to pay higher premiums and higher deductibles, along with exclusionary policy "outs." There will also be liability limitations and clauses on the cost paid out for certain elements of the policy - for example, breach event, cyber extortion, or business interruption.

According to the Government Accountability Office, insurance brokers saw an increase in pricing from 10%- 30% in late 2020 alone. The increases are a result of higher expenses and uncertainty associated with attack mitigation and recovery due to the rapid increase of ransomware and other cyberattack vectors. The most important thing an FI can do to lower premiums is to demonstrate higher security practices and tested IRPs.

Qualification Criteria

Insurance providers may have tougher demands related to an FI's layers of defense in its cyber protection plan before they agree to insure the institution. Below are some possible qualification criteria. The institution:

• Must not have any related cyber claims in the last three years.
• Must have multifactor authentication (MFA) in place to secure all remote access to its network.
• Must have Endpoint Detection and Response (EDR) software installed.
• Must have a data backup solution that is physically disconnected from its network, or a backup solution that is segregated with MFA access control.
• Must be able to restore essential functions within three days in the event of a widespread malware or ransomware attack.
• Must pass a vulnerability scan of its network.

These are just a few of the qualifying criteria; they vary based on the carrier.

Stand-Alone Cyber Insurance Policies

In most cases, an FI will have to acquire a stand-alone cyber insurance policy instead of adding an endorsement to an existing policy. The stand-alone policy should consist of both first- and third-party coverage.

• First-party coverage: This covers expenses incurred by the FI as a direct result of an attack. Examples include reimbursable expenses for forensic investigation, monetary losses from network downtime or business disruption, system repair, data recovery, extortion money (in cases involving ransomware), the cost of protecting the organization's reputation from media or public backlash, and the cost of notifying affected customers.

• Third-party coverage: This covers expenses involved in defending the organization against lawsuits. Examples include legal fees from claims alleging liability resulting from a security breach or privacy breach, including failure to safeguard electronic or non-electronic confidential information or failure to prevent virus attacks, denial-of-service attacks, or the transmission of malicious code from an insured computer system to the computer system of a third party. Also included in this category are regulatory fines and penalties.

Next Steps

There are several steps an FI can take to evaluate its cyber insurance position:

• Do the research to understand the total true costs associated with dealing with a cyberattack. Some of the costs are legal, PR, forensics, notification, credit monitoring, call center, data restoration, regulatory fines, business interruption, cyber extortion, and lawsuits.
• Review your current cyber insurance policy to determine if the costs you would incur from an attack are covered.
• Determine if your policy contains both first- and third-party coverage.
• Check with your current insurance provider (once you assess your policy) to see what changes are required on your end to ensure you have the proper coverage.

We can all agree that cyber insurance is part of the mitigation strategy to offset costs and provide stability after an attack. Let this serve as a wake-up call to ensure that the coverage you have is what you need for protection in today's ever-changing cyber landscape.

Learn moreabout cyber liability insurance offerings from Jack Henry.