grown less likely to include — and often explicitly exclude — cybersecurity coverage in their general liability policies. The fallout can be disastrous if a policy doesn’t provide the coverage needed after a cyberattack. Cybercriminals are also becoming more sophisticated and aggressive. Even if they can’t penetrate the systems a company has put in place to prevent cybersecurity incidents, they may be able to access data and systems through a third party. Due to this threat, businesses in the banking sector need to ensure that all vendors, partners, subcontractors and others who have access to internal digital resources also have proper cybersecurity management efforts in place. Proper Insurance Is Essential (and Sometimes Overlooked) in Cybersecurity Risk Management Plans In addition to changes in coverage and exclusions, increases in cybersecurity incidents, costs and demand for cybersecurity insurance have led insurers to increase premiums, lower policy limits and implement more extensive underwriting procedures for cybersecurity coverage. Insurers have also implemented ongoing requirements for policyholders related to cybersecurity management and training. If you are not meeting the requirements of your policy, coverage could be denied in the event of a cyberattack. When obtaining insurance or reviewing the terms of policies in effect, businesses in the banking sector should consider these issues: • First- and Third-Party Coverage: Policies may include coverage for first parties — the insured — and third parties — the policyholder’s clients, partners or others impacted by a breach. • Data Recovery and Retrieval: In addition to providing for data recovery, ideally, a policy should also ensure that data is retrieved and removed from unauthorized sources outside of your organization. • Geographic Restrictions: Some policies do not cover incidents that originate outside of the U.S., or they may implement other geographic restrictions. • Litigation Coverage: Cybersecurity insurance policies may or may not include a duty to defend. • Notice and Consent: A policy may require notice to the insurer within a specific timeframe after the insured becomes aware of the event. They may also include consent provisions stating the insurer must approve related expenditures in advance. • Approved Counsel and Vendors: An insurer may require policyholders to use approved vendors, including legal counsel. Insureds might have the option to request that a specific attorney or law firm be approved or to share in decision-making related to approved vendors. • Policy Exclusions: In addition to other possible exclusions, insurers may add a provision that negates coverage in the event a cyberattack is caused by employee error, hardware or software issues, or other matters the policyholder is responsible for mitigating under the policy’s terms. This is not an exhaustive list of the policy provisions and exclusions that can impact cybersecurity insurance coverage. Performing a policy review with an attorney or other professional who is knowledgeable about cybersecurity and insurance matters can help businesses in the banking industry ensure coverage meets their needs and will provide for a full recovery in the event of an attack. Mitigating Third-Party Risks to Cybersecurity in the Banking Industry Even with the most extensive cybersecurity risk management plan in place, third-party partners and service providers with access to your company’s data and systems can become a “backdoor” for cybercriminals. Therefore, mitigating cybersecurity risks in the banking industry requires ensuring data is protected and breaches are covered if a third-party vendor experiences a cyberattack. Before engaging with a new partner or vendor, request disclosure of information related to cybersecurity prevention and insurance coverage, and review it for potential weaknesses. The responsibilities of each party can be outlined in a contract or servicelevel agreement to protect both entities better. It is also recommended to keep a list of all third parties with access to business data and systems, categorizing them by the level of access to sensitive data. Access should be limited to only what is required for the third party to perform their duties, and companies can establish rules for interactions between employees and third parties. Some businesses even create a vendor management policy (VMP) that delineates best practices. Practice Defensive Driving for Cybersecurity in the Banking Industry Just as it is when navigating traffic, construction and potholes on West Virginia’s highways, complacency creates unnecessary risks related to cybersecurity in the banking industry. Insurance coverage issues and thirdparty perils can be avoided with proactive and ongoing efforts. Keep scanning the road ahead for hazards and stay alert at the wheel! Randall Saunders is a partner and Jonah Samples is a senior associate at Nelson Mullins Riley & Scarborough LLP in Huntington, West Virginia. They practice cybersecurity, technology and banking law, among other areas. Randy and Jonah will speak on preventive cybersecurity at the 130th WVBankers Annual Convention, July 28-31, 2024. 22 West Virginia Banker
RkJQdWJsaXNoZXIy MTg3NDExNQ==