We all have faced this dilemma. I have a small “ding” in my car. Should I file a claim with my insurance company or not? If I file a claim, will I see a significant premium increase at my next renewal?

Cyber Insurance is Different

Let us take a ransomware situation as an example. Your bank receives an email from badguy@yahoo.com. The email states that your bank’s servers have been compromised and encrypted, and unless you pay a $2 million ransom in Bitcoin within 48 hours, private and confidential customer data will be released, and the ransom will double.

Under your bank’s cyber insurance policy, this is known as a first-party cyber event (as opposed to a third-party event, which means a third party is suing you), and you need to notify your agent and insurer immediately.

Engage Your Carrier and Its Experts

Your insurance company is skilled in dealing with ransomware and cyber breach events and has partnered with vendors with expertise in dealing with your organization’s specific threat.

Notify Your Carrier’s Cyber Claims Unit

Your insurance carrier will have a dedicated cyber claims line, staffed 24/7, to respond to cyber incidents. Be sure your incident response team has access to your carrier’s cyber claims contact information.

First Steps

Your carrier will immediately appoint a Breach Counsel or Project Manager to oversee the cyber event. Within a brief time, your Breach Counsel will initiate a scoping call where you will review the extent of the damage against your organization and if data was compromised, where the attack originated, the status of your backups, ransom demands and other factors involved with the appropriate representatives of your organization. Typically, you would want to include your head of IT, one or more key decision-makers such as your bank President, CEO, or COO, and a customer liaison representative.

Next Steps

After the scoping call, your Breach Counsel will consult with their industry experts. These firms are skilled and experienced in dealing with all types of threat intelligence, including the type your bank is facing. These experts will validate whether the threat is real and determine what diagnostic or corrective actions need to be implemented. The fraudsters want to use time against you and will use a variety of pressure tactics to push you to make a hurried, reactive decision. Your carrier is familiar with these tactics and will advise you accordingly.

To Pay or Not To Pay

Your board and senior management should discuss ahead of any ransomware incident whether the bank will pay a ransomware demand. One factor to consider is that all organizations are prohibited from paying individuals or entities on the OFAC SDN List. But what about fraudsters that are not on that list?

With viable backups allowing the bank to restore its systems and recover its data, insureds are encouraged not to pay. A ransomware incident involving encrypted data will trigger the need to notify customers of a potential breach whether or not you pay a ransom to the bad actors. Plus, not all fraudsters will provide decryption keys after a ransom is paid, thus opening the door for repeated monetary demands even if you pay the initial demand.

What Expenses Are Covered by Cyber Insurance?

Not all cyber policies are the same, so your bank should review its policy carefully. Many of the following expenses may be covered (subject to the policy retention or deductible):

• Attorney costs to determine obligations under breach notice laws.
• Computer security expert and forensic investigator costs to determine the extent of the suspected breach.
• Costs to notify impacted individuals.
• Credit monitoring expenses.
• Call center services.
• Data recovery costs.
• Ransomware payments.
• Business income loss/extra expenses.
• Reputation loss.
• Regulatory defense expenses.

Best Practices To Prevent a Ransomware Attack

The following are tools to strengthen your bank’s protection against a ransomware attack:

1. Reduce Authentication Risk: Consider implementing the following to lower the risk of compromised credentials across network users:
   • Stronger minimum password length requirements for network users. Non- administrative users should have 14-character minimum complex passwords, and administrative-level users should have password requirements of at least 24 characters.
   • Multi-factor authentication (MFA). At a minimum, privileged accounts, such as network administrators, should be required to authenticate with MFA. The wider the deployment of MFA throughout your institution, the better.
   • Credential management tool. With the ever-increasing number of credentials that users must manage, consider a credential management tool to improve the strength of passwords and reduce your users’ reused passwords.
2. Implement with Least Permission: Restrict user permissions to the level of the duties of the job only, limiting network access to potential attackers.
3. Increase Network Visibility: Implement Security Incident Event Monitoring (SIEM) for faster analysis during a crisis. In addition, implement an Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR) platform to monitor the network 24/7 for suspicious activity and to isolate endpoints with potential threats. Such tools will dramatically reduce the response time to an incident and stop an unpleasant situation from worsening.
4. Employee Education: The end-user is the most vulnerable aspect of network security, so regular training on phishing, security threats and incident response protocols is essential to protecting your bank against bad actors and limiting potential damage.
5. Additional tools: Use VPN technology for remote access, make sure your patch management is timely and utilize offline, air-gapped backups.

Review Your Cyber Insurance Protection Annually

Your bank’s cyber risk is rapidly changing and evolving, and you should be reviewing your cyber insurance protection at least annually to determine if the coverage and limits continue to meet your bank’s exposures and needs.

Note: All products and services represented on this page are not insured by the FDIC or any other federal government agency, are not deposits of or guaranteed by the Bank or any Bank affiliate and may lose value.

United Bankers’ Agency, the insurance division of UBB, can help you find the best cyber insurance plan for your community bank’s needs. To request pricing and additional information, visit www.ubbinsurance.com or contact Tim Henry at tim.henry@ubb.com.