By Katie Kuehner-Hebert
As criminals find new ways to defraud banks, and as federal regulators have raised the bar to ensure banks are protecting themselves, their customers and shareholders, network liability insurance for banks has become more important.
Network liability policies have been in place for more than a decade, but have become more popular as criminals hack into computer systems and obtain personal information about customers, plunder their accounts, or get their hands on a loan officer's laptop or smart phone.
"Having all the security measures in place doesn't stop you from being hacked -- Sony, Symantec, RSA, had incidents involving lots of information," said David Hallstrom, director of NetProtect, a suite of network protection insurance products offered by CNA Financial Corp. in Chicago.
"The key is to try to stay one step ahead of the 'bad guy' through security systems, but even then, there might be a glitch -- someone might have forgotten to do something. Human errors always play a big role."
Hallstrom points to an incident at JPMorgan Chase & Co. several years ago, in which a back-up computer tape containing information on 900,000 customers "just disappeared." The company still had to notify customers about the incident, even though there had been no data breach.
CNA's cyberliability insurance products are designed to work with any corporate or personal information in the bank's possession, even paper documents or portable devices, he said.
The policy can reimburse the insured for notification costs, and the carrier can hire specialized firms who are familiar with the specifics of the various state notification laws.
Some states require direct notification for unencrypted information, others for encrypted information only; some require it if the notification costs exceed $250,000, and some for just $5,000. If the thresholds are not met, then banks need only issue a press release or post information about the breach on their website.
CNA's product, like those of other carriers, also protects banks for revenue loss and expenses incurred in the case of a "denial-of-service" attack, in which hackers purposely shut down a bank's system.
George Allport, vice president and financial fidelity product manager with Chubb Group of Insurance Cos. in Warren, N.J., said that criminals are also reaching customers through "spearfishing" exploits, particularly commercial customers.
"These fraudsters know how to use social media and develop a significant amount of information on different individuals," Allport said. "Then they make themselves sound like theyare the CEO of a bank's customer, or they get enough information on theCEO, so they can send an email to the treasurer of the company,saying "I need to wire a million dollars to a new vendor in Shanghai,please send me our online banking information."
Or they send the treasurer emails posing as the CEO -- having learned information about them on Facebook or LinkedIn -- and ask "How is your new baby grandson, Joey? Btw, we need to wire amillion dollars to this vendor, please take care of it."
Retail customers are generally protected against such losses, but businesses aren't, he said. It can be a "very gray area" as to whether banks have the responsibility to indemnify customers for those losses.
It is very fact-specific as to whether a bank fulfilled its duties providing proper security to the customer, and whether the loss happened purely because the customer didn't secure their information effectively, Allport said.
Banks may submit a claim under a computer crime policy or under the computer crime coverage of a cyberpolicy, and the best course of action is for the banks to "help train the customer on what to do, but it's not usually a requirement under the bank's insurance policy," Allport said.
Network liability policies also now insure against mobile banking exposures and other emerging technologies, said Steve Bridges, senior vice president with Aon Risk Solutions' Financial Services Group in Chicago.
"All of these devices are additional points of access and potential failures," Bridges said. "Part of our job is to make sure our clients think about these things and as new access points are developed, that our policies cover exposures presented by new technologies."
Federal agencies have published guidance that expands how banks should be addressing network threats.
The Federal Financial Institutions Examination Council's guidance on the proper authentication for the Internet, which went into effect Jan. 1, is an update of guidance originally published in 2005.
Guidance from the Securities and Exchange Commission, published last October, pertains to publicly-traded companies that register with the agency, including banks.
"The SEC wants to see whether banks are indicating in their financial reports for this quarter that they are addressing a potential computer attack, that they have considered potential financial losses that could be created
by such an attack, and that they have prepared for that," said Peter Foster, executive vice president, Willis National Resource -- Privacy, Network Security and E&O in Boston.
Banks should not only be listing risks of disruption to their network, but also what financial instruments -- insurance included -- they are using in order to protect shareholders, he said.
Due to the success of plaintiffs against banks in data breach lawsuits, banks also have to factor in litigation expenses in addition to the cost of sending out notices and offeringcredit monitoring, said Bob Parisi, senior vice president at Marshin New York.
In Krottner vs. Starbucks Corp, the 9th U.S. Circuit Court of Appeals ruled in 2010 that the case could proceed despite the fact that the plaintiffs, current and former Starbucks employees, had not suffered material harm from a breach that had occurred when a laptop with employee data was stolen.
"Prior to that case, the general rule was that plaintiffs had to show actual harm or imminent harm," Parisi said. But the court ruled that "plaintiffs shouldn't have to prove that, it should be enough that their potential risk of harm had increased."
"So you went from having to show something was actually about to happen to the likelihood that something increased even infinitesimally," he said. "That gave plaintiffs the ability to survive through the motion process."
In more recent cases plaintiffs are demanding damages for emotional stress, and the time and "sweat equity" it took to subsequently monitor their credit, Parisi said.
These plaintiffs are basing their claim on a law that requires identity thieves to provide restitution to their victims, and the plaintiffs are quantifying their time and effort to protect themselves as part of that restitution.
About a half dozen carriers offer cyberliability insurance specifically for financial institutions.
Liberty International Underwriters, the Boston-based insurer, had offered such policies on an excess basis, but in February launched a trio of primary products, LIU Tech Insure, LIU Data Insure, and LIU DataPro Insure.
The most common security weakness for many clients is the lack of follow-up on employee awareness training on what types of data need to be protected and employee responsibilities in handling that data, said Oliver Brew, vice president of Miscellaneous Professional Liability, Privacy and Technology E&O at the Liberty Mutual subsidiary's New York office.
Insurers like to see a two-step security process for customers to log onto an online banking site, including having customers register the computer they typically use to access the site, Hallstrom said.
This step reduces the incidences of data breaches by thieves who have user names and passwords. In fact, a third of breaches tend to occur at places like accounting firms, which possess their clients' bank account information ? including user names and passwords.
Larger banks have very robust security policies, and brokers advise smaller banks on the latest threats and how the banks can best protect themselves, said Meredith Schnur. senior vice president of Wells Fargo Insurance Service's Professional Risk Group in New York.
"Do you have an incident response plan in place? How prepared are you for a breach? What resources do you have if a breach occurs? Do you know who to call? The better prepared you are, the easier it's going to be to mitigate your loss both to your bottom line and from a reputation standpoint," Schnur said.
Banks should also check whether service providers that hold customer information on bank's behalf indemnifiy the bank for any losses related to a computer attack or programming error, Foster said.
"Banks should also require their vendors have appropriate risk management policies in place -- not just buying insurance, but identifying where losses come about and making sure the right policies and procedures are in place," he said.
KATIE KUEHNER-HEBERT, a freelance writer based in California, has more than two decades of journalism experience.
April 13, 2012
Copyright 2012© LRP Publications