Cybersecurity should be a foundational element of any community bank, but do you really need to be insured for it—especially as premiums rise? We spoke to experts to learn more about this type of insurance.
By Elizabeth Judd
The ingenuity of cyber threats is increasing rapidly. So is the price of the premiums that community banks are paying for cybersecurity insurance.
Cyber criminals focus on two things, says Jared Gentile, cyber lead for the financial institutions group at Travelers Insurance. “They’re financially motivated, and they’re constantly looking to modify the methods they use to perpetrate their attacks.”
Cyber insurance has been the go-to answer, but now, some bankers are balking at rising premiums.
For the first quarter of 2023, cyber insurance premiums increased by an average of 8.4%, according to the Council of Insurance Agents & Brokers (CIAB). This is far less than the 15.0% average hike in the last quarter of 2022, but it’s still a hefty sum.
These premiums have left many community bankers feeling stuck between a rock (hacking threats) and a hard place (skyrocketing payouts).
While high premiums may be painful, most community bankers find paying preferable to the alternative: the financial, reputational, and regulatory damage of an attack.
As premium costs rise, however, it’s important to make sure your policy covers the range of threats out there, so you get the proper help in the event of a catastrophe.
Emerging cyber threats to community banks
New threats range from escalations of traditional ransomware attacks (see sidebar) and phishing scams enabled by AI to third-party exposure and “bricking.”
Travelers, for instance, has added coverage for bricking, the term for an attack in which “bad actors are able to damage equipment to the point where it can no longer be used … and becomes about as useful as a brick,” says Gentile.
While traditional cyber policies cover the costs of data restoration and notifying customers that a breach occurred, bricking provisions can cover the replacement of equipment that is now useless, he says.
Another potential threat stems from phishing attacks enabled by bad actors using AI to steal identities. ChatGPT and other generative AI tools have given criminals the ability to convincingly mimic speech patterns and other identifying information.
Finally, an area of growing concern is cyberattacks striking third-party vendors critical to a community bank’s operations.
Sean Gremillion, senior vice president of underwriting at Resilience, an IT consultant, recommends vendor interruption coverage to help community banks pay for problems stemming from a third-party vendor finding itself under attack.
A virtuous cycle
Cyber insurance policies don’t just provide financial assistance for new types of emerging threats. They also help community banks strengthen their own cybersecurity efforts.
Like joining a gym or signing up for an adult education course, taking action brings its own benefits. For community banks, acquiring cyber insurance makes an institution less likely to fall prey to hackers or other bad actors.
“Buying cyber insurance makes you a better risk, because the insurance companies aren’t going to indemnify you unless they have a degree of confidence you’re doing the right things,” says David Anderson, vice president, cyber liability, at Woodruff Sawyer, a brokerage and consulting firm.
“The cyber insurance underwriting process is extremely detailed and makes sure that all your ducks are in a row,” he explains. Insurance providers also coach community banks on the latest threats.
And when a community bank does fall prey to a cyberattack, Travelers and other insurance carriers are “able to coordinate and engage and employ lawyers, forensic accountants, data restoration experts and PR advisories—within hours,” says Gentile.
Travelers also engages in “betterment,” the insurance industry’s term for improving a bank’s systems to prevent future attacks.
“After a claim,” says Gentile, “if a bank still has information security vulnerabilities or an infrastructure issue, we want to partner with them to help reduce the financial burden of making those improvements, with the mutual goal of reducing the threat of a future attack.”
As the insurer-customer relationship evolves, community bankers are finding that their cyber-insurance agent is not only selling protection against known threats. It has become a partner that can help ward off future threats.
“Threat actors are looking for known vulnerabilities in your systems,” Gentile concludes. “But so are we.”
Ransomware: how a threat can morph
One reason why the price tag for ransomware attacks is so difficult to calculate? No one knows how large a ransom demand will be.
According to David Anderson, vice president, cyber liability, at Woodruff Sawyer, financial institutions possess extremely valuable information and so the ransoms are typically quite high. “You’re looking at ransom demands that will be made in the low seven figures and then paid in the six figures,” he says.
Historically, some banks have refused to pay ransoms, trusting in their backups and their ability to restore their own systems. However, that may need to change.
“Threat actors have begun saying, ‘We have everyone’s information,’” notes Anderson. “‘If you don’t pay the ransom, we’re going to publish it all over the dark web, we’ll sell it to criminal operations, and customers will immediately start experiencing identity theft and other losses.’”
“The ransomware threat,” he says, “just continues to get more horrific.”