Many banks and credit unions are now requiring cyber insurance for borrowers seeking loans. This applies to many loan types including asset-based loans, lines of credit, and acquisition financing for private equity firms. When cyber insurance fails to fully cover the cost of a cyber incident, credit unions may be left without protection.

The need for cyber insurance is clear. The cost of cyber-attacks is climbing, and the impact can be devastating for small and medium businesses and financial institutions. According to IBM’s Cost of a Data Breach Report, the average cost of a data breach reached $4.45M per incident in 2023.

The impact on businesses and financial institutions suffering from a cyber-attack can be devastating:

• 93% of companies that lost their data center for 10 days or more due to a disaster, filed for bankruptcy within one year of the disaster. 50% of businesses that found themselves without data management for this same time period filed for bankruptcy immediately. (National Archives & Records Administration in Washington)
• 94% of companies suffering a catastrophic data loss do not survive – 43% never reopen and 51% close within two years. (University of Texas)
• 7 out of 10 small firms that experience a major data loss go out of business within a year. (DTI/Price Waterhouse Coopers)
• 43% of cyber-attacks target SMBs
• 50% of SMBs suffered a cyberattack in the past 12 months

It is not surprising then that credit unions and banks are requiring cyber insurance to protect themselves from this risk, and that their regulators are in turn requiring it for them. However, it’s important to note that cyber insurance does not always provide the protection one might expect, and there are holes that can leave credit unions at risk.

Cyber insurance mandates

To manage cyber risk, insurance companies require policyholders to attest to a nine-point cybersecurity plan.

These mandates are designed to minimize exposure for cyber-insurance companies by providing higher levels of security for organizations purchasing cyber-insurance. Higher levels of security also benefit policyholders by reducing the risk of attacks.

Despite these mandates, cyber insurance often fails to meet the needs of the policyholder. Companies struggle to obtain insurance, premiums continue to rise, exclusions limit coverage from critical attacks, and high rates of denied claims leave policyholders bearing much of the cost of cyberattacks.

As a result, credit unions are left exposed to a greater risk of businesses defaulting on loans.

Shortcomings in insurance coverage

Businesses are finding it more challenging to get cyber insurance and insurance rates are climbing rapidly. According to the Delinea State of Cyber Insurance Report, it took more than six months to get cyber insurance for 7% of companies, and 67% of companies reported increases in cyber insurance rates of 50% to 100%. Worse still, 28% of small companies were denied coverage and were unable to even obtain cyber insurance. For those with insurance, the number of exclusions continues to grow.

Insurance policies are written with exclusions to manage their exposure. Often, these exclusions concern gray areas where carriers cannot accurately predict risk. Unfortunately, what is excluded is often where policyholders most need protection.

According to the Delinea report, cyber insurance coverage could be void because of:

• Omissions and errors
• Lack of security protocols
• Companies failing to follow compliance procedures
• Human error including misconfiguration or lost cell phone/laptop
• Internal bad actors
• Acts of war
• Acts of terrorism
• Not reporting incidents to insurance companies first

These exclusions would result in companies not receiving a payout, or only receiving a partial payout on a claim.

Finally, should an organization be hit with a cyber-attack, cyber insurance rarely pays for all associated costs. For example, many policies won’t pay for incident response, communication costs for public relations, or crisis response.

The combination of non-payment or partial payment on claims, and excluded costs, can be onerous. The impact of the cyber-attack, coupled with partial coverage by cyber insurance, leaves many businesses struggling to survive.

Incident response could result in denied claims

When a cyber-incident occurs and a company files an insurance claim, the insurance company will bring in outside security experts as part of the incident response process. The goal of the incident response team is to determine the cause of the cyber incident.

This is a standard practice to help the organization improve its cyber posture. By finding the root cause, the problem can be mitigated to ensure hackers cannot exploit the same weakness in the future.

This root cause analysis also allows the insurance company to determine if cyber-insurance mandates are being followed. If mandates are not followed, insurance companies may deny the claim or reduce the payout.

Automated monitoring

Automation with continuous monitoring is the solution to cyber-insurance risk management. Unlike traditional insurance categories, corporate computing infrastructure is dynamic. New applications are installed and updated, devices are added or moved, and new services are enabled on a regular basis. Any of these changes can dramatically impact the organization’s risk profile.

Automated cyber-insurance compliance provides significant benefits to cyber insurance providers and policyholders alike, including:

• Ensuring precise premiums based on actual cyber-risk data
• Eliminating the need to fill out and process questionnaires, which have grown to as much as 50 pages
• Ensuring accurate data is provided to insurance companies
• Eliminate claim denial due to mis-matched expectations
• Eliminated denied claims due to failing to follow security policies
• Improving the security of their infrastructure by providing actionable information on vulnerabilities discovered

If one is at risk, all are at risk

Cyber-insurance claims may be denied if a company’s network is not in compliance with insurance company mandates when an attack occurs. Maintaining compliance is challenging. Corporate networks are highly dynamic. Devices are continuously added or moved, new applications are installed, software is patched, users change passwords and configurations, and other changes occur almost constantly.

Without continuous monitoring and assessment of security against cyber-insurance requirements, organizations remain at risk of large financial losses. Some companies will be forced to default on loans and may face bankruptcy. Ultimately, credit unions will be left holding the bag.