OFFICIAL PUBLICATION OF THE WEST VIRGINIA BANKERS ASSOCIATION

Purchase Ad Space

Pub. 15 2024 Issue 2

ISSUE HOMEPAGE

Cybersecurity in the Banking Industry

Check Your Blind Spots

Picture of By Randall Saunders, Partner, and Jonah Samples, Senior Associate, Nelson Mullins Riley & Scarborough LLP

By Randall Saunders, Partner, and Jonah Samples, Senior Associate, Nelson Mullins Riley & Scarborough LLP

Even the most responsible driver can be caught unaware by an accident if they fail to check their blind spots when operating a vehicle. Technology like lane assist features can help, but may also create risk when people become too reliant on it. The same is true when it comes to cybersecurity. A company’s cybersecurity risk management plan will probably include the critical basics, like IT protocols and employee training. Still, when it comes to cybersecurity in the banking industry, oversights related to insurance and third-party risks can blindside businesses.

Turn Off Autopilot for Cybersecurity in the Banking Industry

Data breaches are becoming more common and costly. In 2023, there were 744 data compromises in the U.S. financial services industry, a drastic increase over the 138 breaches reported in 2020. Globally, the average cost of a single data breach in the financial sector in 2023 was nearly $6 million.

Mitigating cybersecurity risks in the banking industry has become more challenging. Meanwhile, insurers have grown less likely to include — and often explicitly exclude — cybersecurity coverage in their general liability policies. The fallout can be disastrous if a policy doesn’t provide the coverage needed after a cyberattack.

Cybercriminals are also becoming more sophisticated and aggressive. Even if they can’t penetrate the systems a company has put in place to prevent cybersecurity incidents, they may be able to access data and systems through a third party. Due to this threat, businesses in the banking sector need to ensure that all vendors, partners, subcontractors and others who have access to internal digital resources also have proper cybersecurity management efforts in place.

Proper Insurance Is Essential (and Sometimes Overlooked) in Cybersecurity Risk Management Plans

In addition to changes in coverage and exclusions, increases in cybersecurity incidents, costs and demand for cybersecurity insurance have led insurers to increase premiums, lower policy limits and implement more extensive underwriting procedures for cybersecurity coverage. Insurers have also implemented ongoing requirements for policyholders related to cybersecurity management and training. If you are not meeting the requirements of your policy, coverage could be denied in the event of a cyberattack.

When obtaining insurance or reviewing the terms of policies in effect, businesses in the banking sector should consider these issues:

  • First- and Third-Party Coverage: Policies may include coverage for first parties — the insured — and third parties — the policyholder’s clients, partners or others impacted by a breach.
  • Data Recovery and Retrieval: In addition to providing for data recovery, ideally, a policy should also ensure that data is retrieved and removed from unauthorized sources outside of your organization.
  • Geographic Restrictions: Some policies do not cover incidents that originate outside of the U.S., or they may implement other geographic restrictions.
  • Litigation Coverage: Cybersecurity insurance policies may or may not include a duty to defend.
  • Notice and Consent: A policy may require notice to the insurer within a specific timeframe after the insured becomes aware of the event. They may also include consent provisions stating the insurer must approve related expenditures in advance.
  • Approved Counsel and Vendors: An insurer may require policyholders to use approved vendors, including legal counsel. Insureds might have the option to request that a specific attorney or law firm be approved or to share in decision-making related to approved vendors.
  • Policy Exclusions: In addition to other possible exclusions, insurers may add a provision that negates coverage in the event a cyberattack is caused by employee error, hardware or software issues, or other matters the policyholder is responsible for mitigating under the policy’s terms.

This is not an exhaustive list of the policy provisions and exclusions that can impact cybersecurity insurance coverage. Performing a policy review with an attorney or other professional who is knowledgeable about cybersecurity and insurance matters can help businesses in the banking industry ensure coverage meets their needs and will provide for a full recovery in the event of an attack.

Mitigating Third-Party Risks to Cybersecurity in the Banking Industry

Even with the most extensive cybersecurity risk management plan in place, third-party partners and service providers with access to your company’s data and systems can become a “backdoor” for cybercriminals. Therefore, mitigating cybersecurity risks in the banking industry requires ensuring data is protected and breaches are covered if a third-party vendor experiences a cyberattack.

Before engaging with a new partner or vendor, request disclosure of information related to cybersecurity prevention and insurance coverage, and review it for potential weaknesses. The responsibilities of each party can be outlined in a contract or service-level agreement to protect both entities better.

It is also recommended to keep a list of all third parties with access to business data and systems, categorizing them by the level of access to sensitive data. Access should be limited to only what is required for the third party to perform their duties, and companies can establish rules for interactions between employees and third parties. Some businesses even create a vendor management policy (VMP) that delineates best practices.

Practice Defensive Driving for Cybersecurity in the Banking Industry

Just as it is when navigating traffic, construction and potholes on West Virginia’s highways, complacency creates unnecessary risks related to cybersecurity in the banking industry. Insurance coverage issues and third-party perils can be avoided with proactive and ongoing efforts. Keep scanning the road ahead for hazards and stay alert at the wheel!

Randall Saunders is a partner and Jonah Samples is a senior associate at Nelson Mullins Riley & Scarborough LLP in Huntington, West Virginia. They practice cybersecurity, technology and banking law, among other areas. Randy and Jonah will speak on preventive cybersecurity at the 130th WVBankers Annual Convention, July 28-31, 2024.

Get Social and Share!

Sign Up to Receive this Publication in your inbox

More In This Issue

Navigation

West Virginia Banker Association logo

3601 MacCorkle Avenue,
SE – Suite 100
Charleston, West Virginia 25304
Phone: 304.343.8838
Fax: 304.343.9749

the-newslink-group-logo

4049 South Highland Dr.
Holladay, UT 84124
Phone: 801.676.9722
Fax: 801.742.5806

Copyright © 2024 West Virginia Banker Magazine

Created and Managed by The newsLINK Group LLC

Privacy Policy