In light of increasingly prevalent and highly publicized data breaches, the Federal Financial Institutions Examination Council (FFIEC) recommends that banks require commercial lending customers have cyberinsurance to supplement existing risk management programs. The FFIEC’s statement isn’t a regulatory expectation, but demonstrates the benefits of cyberinsurance as part of a financial institution’s overall risk management strategy.
While demand for cyberinsurance has been on the rise across all industries, few banks require their commercial lending customers to purchase it, perhaps due to the potential competitive repercussions of being the first to institute such an obligation. While banks intend to require their technology vendors be cyber insured, the idea of requiring the same of their customers is still relatively novel.
Yet there are several compelling reasons to require commercial lenders to carry cyberinsurance, as it could help offset financial losses from a variety of exposures including data breaches resulting in the loss of confidential information — that may not be covered by more traditional insurance policies.
That said, requiring each commercial lending customer to carry cyberinsurance involves some considerations. For instance, how much limit should each customer be required to carry, and are there specific coverages that each customer’s policy must contain? As banks are not typically in the business of providing insurance advice and consultation, meeting this recommendation may prove challenging.
Also, if cyberinsurance is to be considered a requirement for a commercial loan, then the coverages contained in each policy need to properly reflect the exposures of that particular customer — not that of the bank. This can be especially difficult for small to midsized customers who may believe their business doesn’t have any cyber exposure and therefore doesn’t see the value in cyberinsurance. Finally, because there is no “one-size-fits-all” cyberinsurance model, an arbitrary, blanket insurance requirement may dissuade lending customers from doing business with that bank.
Many businesses share this sentiment, but we also know that cyber events can affect companies of all sizes, industries, and geographies. In fact, the 2017 Willis Towers Watson Cyber Risk Survey found that one in five companies has suffered a cyber breach in the last year. We also know that every company is exposed to cyber risk via human error. In fact, the human element remains an overwhelming cause of cyber risk with a staggering 58% of the claims included in Willis Towers Watson’s Claim Cost Index – 2017 directly attributable to employee negligence and/or malfeasance.
Even industry classes that were once considered low-hazard for cyber risk, such as manufacturing, transportation and logistics, are now reporting increased instances of malware and ransomware attacks, mostly enabled by employees who click on phishing links.
Moreover, cyber threats have evolved to encompass much more than just data breaches. The threat of an extended business interruption could be disastrous for many companies, as business models and processes have become increasingly network reliant. Despite this, many companies that have traditionally addressed their cyber risk via endorsements on property and general liability policies may be leaving their businesses exposed to gaps and restrictions in coverage because property and casualty insurers are now looking to restrict cyber event coverage.
If circumstances change and commercial lending customers are required to carry cyberinsurance, the move could provide additional protection for banks’ investments. As is often the case with governmental advisory opinions, today’s recommendation could become tomorrow’s expectation or requirement as banking regulations become more stringent and cybersecurity standards increase. Under such circumstances, banks could soon start feeling the financial impacts — and cyberinsurance could be one way to help alleviate some of the pain.
Alex Capra is an associate broker in the FINEX Cyber Liability Practice at Willis Towers Watson.