Western Independent Banker - September/October 2008 - (Page 28)

By Kevin Rankin Shopping for Cyber Insurance TODAY’S COMMUNITY BANKS are increasingly dependent on a wide variety of new technological applications. Relying solely on an old-school Banker’s Blanket Bond or a general liability policy to protect against the risks associated with an increasingly on-line world could be a mistake. Conventional insurance coverages were designed to cover “tangible” property such as money or securities from traditional perils such as robbery or fire. The loss of confidential customer data stored on the CEO’s laptop or in the bank’s computer network is considered “intangible” property and typically would be excluded from traditional insurance coverages. Banking has moved beyond the physical walls of the vault or safe deposit box and into an everevolving virtual world where identities could be stolen or vital records damaged from a wide range of computer-generated perils. While data breaches at national institutions generate more publicity, community banks are not immune to hackers and data loss. In January 2008, a gang of international cyber criminals hacked into a $1 billion Texas bank’s network and stole account numbers, which they used to create new accounts and PINs and withdraw cash from ATMs in Eastern Europe. In June 2007, a $160 million Texas bank lost confidential data on 4,000 customers when an employee’s laptop computer was stolen during a car theft. In November 2007, a laptop with customers’ personal information and bank account numbers was stolen from a $500 million California bank. In June 2008, a northern Indiana bank had to replace all their ATM cards after cyberthieves accessed a weakness in the bank’s computer system and took customer names and social security numbers. tomer information stored off-line on the bank’s network. • If your bank is the victim of a breach, notifying customers is expensive and time-consuming. Cyber policies should cover voluntary notification costs as well as those compelled by “duty to notify” laws such as California’s SB 1386, usually with no or low deductibles. Your policy should also cover the costs of hiring a public relations firm to recover the bank’s reputation and to provide credit monitoring services for affected customers. • Make sure the policy covers privacy resulting from the theft or loss of removable media such as bank-owned laptops, PDAs, or other forms of portable storage. • With its Web site, the bank’s internal systems are “borderless” and claims can originate from anywhere in the world. Be sure the cyber policy covers thirdparty claims that can occur worldwide. • The policy should include a full policy limit for regulatory defense coverage for actions brought by regulators. “Duty to defend” policies are desirable because cyber-insurers are typically experienced in privacy regulation and computer forensics. • Your customers may rely on your services or network to conduct their business. The bank could be liable to thirdparty claims if its system infects customers’ networks or prevents them from conducting business. Protect yourself. Ask your insurance agent to review your overall insurance program to determine if there are gaps in coverage. In the evolving world of e-commerce, banks should work closely with their agent to put the right coverage in place. Kevin Rankin is an underwriter with Scarborough in Chicago. He can be reached at 312-381-3769 or Kevin_ Rankin@ scarboroughins.com. Additionally, traditional policies usually will not offer reimbursement for the costs associated with notifying customers that their personal information was compromised. This notification requirement is now a law in 39 states. Kroll, Inc., a leading risk consulting company, estimates the cost of a breach to be $197 per compromised record. To address these computer generated exposures, the insurance industry has developed a variety of cyber insurance products. But these products vary greatly and buyers should consider which best fits their bank’s needs. In general, buyers should consider the following: • Banks have a custodial duty to protect their customers’ confidential information. Ensure your policy covers privacy injury resulting from unauthorized use or disclosure of all private information in the bank’s custody. There should be coverage not only for e-commerce and the bank’s Web site, but also for cus- To address these computer generated exposures, the insurance industry has developed a variety of cyber insurance products. But these products vary greatly and buyers should consider which best fits their bank’s needs. 28 www.wib.org Western Independent Banker http://www.wib.org

Table of Contents Feed for the Digital Edition of Western Independent Banker - September/October 2008

Western Independent Banker - September/October 2008 Contents A Message from the President & CEO What To Do When Good Employees Go Bad! Remote Deposit Capture: What’s Your Target Market? Remote Deposit Capture: Lessons Learned Debit Decoupling: Part of Larger Merchant Funding Trend Debit at the Speed of Life: A Look at Debit Technologies on the Rise ID Theft Rule: Automating the Compliance Process Lose Paper and Gain Audit Trails Data Loss Prevention: A New Package on an Old Idea Securing Data in Transit Margin Management: Get in the Driver’s Seat Shopping for Cyber Insurance WIB Service Corporation Report WIB Calendar Welcome New Members Index to Advertisers advertiser.com

Western Independent Banker - September/October 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.