Skip to Main Content

Cyber security: millions of dollars on the line

March 26, 2019
Two coworkers meeting and looking at laptop

By Ray Birch

Feature cyber coverage

CUNA Mutual told that interest in cyber insurance is growing among all sizes of credit unions that see the need for the additional coverage to be fully protected against data breach expenses.

“Roughly half of all credit unions have cyber insurance today,” estimated Jay Isaacson, VP of P&C solutions at CUNA Mutual Group, which provides cyber coverage to credit unions. “I’d say that credit unions buy at a slightly higher rate than other types of businesses. Maybe not higher than other financial institutions. But it just makes sense as financial institutions hold choice data for hackers.”

Isaacson’s comments come shortly after the Federal Financial Institutions Examination Council (FFIEC), of which NCUA is a member, issued a joint statement on the potential need for cyber insurance as a component of risk-management programs.

Cyber coverage not required

The FFIEC noted its member regulatory institutions do not require financial institutions to maintain cyber insurance, but that “the evolving cyber insurance market and the shifting cyber threat landscape may, however, prompt financial institutions to consider whether cyber insurance would be an effective part of their overall risk management programs.”

The statement noted that cyber attacks are increasing in volume and sophistication and that traditional general liability insurance policies may not provide effective coverage for all potential exposures caused by cyber events.

“Cyber insurance could offset financial losses from a variety of exposures — including data breaches resulting in the loss of confidential information — that may not be covered by more traditional insurance policies,” the FFIEC said. “Financial institution management should assess the scope of coverage of current insurance and consider how cyber insurance may fit into the institution’s overall risk management framework.”

Isaacson said cyber insurance has undergone a rapid evolution but is still “young” in its coverage experience — 18 years.

“It was introduced in the early 2000s and it is very much evolving,” said Isaacson, referring to the growth of breaches and the shifting hacker attacks and strategies.

Costs associated with responding to a breach are driving discussions among credit unions, said Isaacson, who noted that expenses for any business hit by a breach can reach millions of dollars.

“The challenge is that no two breaches are exactly alike, which makes it difficult to draw overall comparisons,” said Isaacson about costs from breaches. “That said, breach activity is growing across all industries and credit unions have also seen this growth as well. Malware-related losses are becoming more prevalent, which can make the breach far more difficult to identify and subsequently remediate — and ransomware has become particularly troublesome of late. It is not unrealistic to say more significant cyber related losses, which could be insured under a credit union’s cyber policy, can run in the six- to seven-figure range. Other industries have seen losses significantly in excess of this.”

Two components

Cyber insurance coverage carries two key coverage components, according to Isaacson.

“There is the first-party element, coverage that addresses expenses associated with the breach response — for example, getting forensic experts in to determine the depth of the breach, what happened, what was impacted, and to make sure the breach is fully stopped and remediated,” said Isaacson. “That also includes expenses associated with getting the credit union, and its affected members, back up and running.”

There also is coverage for potential lawsuits.

“That is the third-party coverage, if the credit union is sued, say by a member, regarding a breach,” Isaacson noted.

Isaacson said that costs for the coverage are not prohibitive, even for smaller credit unions.

“The premium will vary by the size of the organization and the risk management practices it has,” explained Isaacson. “I would not describe it as an expensive coverage today, even for small credit unions. There are a number of small credit unions that purchase the coverage. It comes down to each organization has their own risk tolerances and preferences and they have to decide how they want to manage this risk, and if cyber insurance is the right fit for them.”

Despite the rising number of cyber attacks on all organizations, Isaacson said the costs for cyber coverage have remained fairly stable.

“Yes, over time there have been more cyber incidents that have triggered cyber insurance policies,” said Isaacson. “So we are in an environment in which breaches are becoming more frequent, which is causing carriers to step back and ask, ‘are we pricing in a right way.’ Some carriers may decide to increase prices, but by and large I’d say prices have not really jumped a great deal in the last 18 years.”

Risk tolerance

In addition to assessing the credit union’s own risk tolerance and whether or not a cyber policy fits within the organization’s risk management plan, Isaacson said the credit union should assess an insurance carrier’s ability to assist in the event of a breach.

“Insurance carriers have a fair amount of expertise relative to breaches,” said Isaacson. “I advise credit unions to leverage the expertise that comes with the insurance carriers and find those that have the right risk management capabilities. For example, having the right contacts makes an awfully big difference in the event of a breach — you can benefit not only from the carrier’s expertise but also if the carrier has a large Rolodex of contacts that can help you address the breach.”

Isaacson also explained that carriers typically offer coverage in two ways.

“Some carriers choose to put a dollar amount on the coverage, say a million dollars. Other carriers base it on the number of notified individuals — what is the cost to notify folks and have protection up to a certain number of members,” he explained. “I tend to favor the idea of a notification-based approach, just because if I am a credit union and I know I have this many members I know what the potential implications could be for me.”

This article originally appeared on

Want to learn more?