Fracas Over Insurance on $2.4m Bank Breach – My Take

In the last several weeks I heard from many of you about a Virginia bank breach and the response from their insurer, ABA/Everest. The concerns are real. Let’s see if we can add some light to the heat.

Here is the original post.

I have done some research. I have looked at policy forms by ABA/Everest and other insurers. I have talked with a few people who have some knowledge of the event and claim. I do not pretend to have all the details. This was not a client, and obviously, ABA/Everest is not going to share the intimate details with me. I have not contacted the bank.

That said, I do have an opinion and some recommendations.

First, this is not what most insurance people would call a “cyber claim.” Generally, when insurance people are talking about cyber policies, they mean Cyber Liability Insurance.

The cyber liability policy is protection against lawsuits brought against the bank. The policy also usually covers the cost to mitigate a data breach and minimize the impact a data breach has on customers.

There is no coverage for actual loss of bank funds in a Cyber Liability Insurance policy.

For any loss of bank-funds caused by fraud, we almost always go to the financial institutions bond, AKA “The Bond.” About fifteen years ago I started calling this particular policy the “Fraud-Bond” in an attempt to put a coverage descriptor in the name of the policy.

Every fraud-bond has a coverage section for computer fraud. Most insurers have a separate coverage section for debit card fraud. A loss is either a debit card loss or a computer fraud loss.

From the information I have, the Virginia loss revolves around the misuse of debit cards.

Based on what I see here, all insurers would have excluded this loss from the computer fraud section of the fraud-bond coverage. They would then provide coverage in the debit card section (though not all bank insurers offer debit card coverage).

I have long recommended that banks consider debit card coverage. In my review of a bank’s insurance, I have been suggesting coverage from $250,000 to $500,000, depending on the size of the bank. These limits were based on claims my clients had experienced as well as peer group data. The recommendations were also colored by my perception of the exposures. I have not seen a $200,000 debit card loss in over ten years. Most losses are $500 to $3,000 – well under a bank’s bond deductible (almost always over $50,000).

I saw debit card loss as an issue of frequency and not severity. A $3,000 loss is best prevented by risk management and technological solutions, as I would often say to my clients. I would then flippantly follow up with a comment about how debit card losses are a cost of being in the banking business. My clients all agreed with me and we moved on in our conversations to matters considered more weighty.

Clearly, I was suffering from a lack of imagination. My clients were similarly afflicted, as insurers have been. A loss of $2.4 million is clearly possible.

I don’t see the facts (as I know them) as a commentary or warning of ABA/Everest’s coverage or approach to bank insurance. I think similar results would be seen from all (certainly most) bank insurers. As I said, some insurers do not offer debit card coverage at all. With such a policy there would be zero paid on this claim as I understand it.

Based on the info I have (which is admittedly limited), the issue is the amount of debit card coverage purchased by this bank. Most banks have a similar issue of low limits – certainly all the banks that followed my advice do.

Now the fix… Contact your insurance agent and request a quote for additional debit card coverage. Ask for at least half the amount of coverage you buy for computer fraud. I now see $1,000,000 as a minimum debit card limit.

I have only just come up with this recommendation so I’m not sure how insurers will respond. My recollection is that many insurers only offer $500,000 of coverage. So we might not be able to find the newly considered higher limits. If enough banks are asking for higher limits, my hope is that insurers will respond by providing higher limits.

There is also a stand-alone debit card policy in the marketplace, the bank card protector, offered by Chartis insurance through Frates Insurance. The most recent marketing info I have is that they will also only offer $500,000 of coverage. Their position may change as the demand increases.

So, there you have it. I have no problem with what I see from ABA/Everest here. I think they responded as most insurers would. We were thinking the exposures were relatively minor – the bad guys figured out how to exploit a weakness and got big dollars. We now know we should be thinking about bigger limits. Let’s see how insurers respond.

If you have questions or comments send me an email. Let’s talk. Scott@ScottSimmonds.com.

Note: Now might be the right time for a review (or an update of a past review) of your bank’s insurance. Learn what you really have for coverage from an unbiased perspective. Contact me to start a conversation.