Is Cyber Liability Insurance Worth It?

There’s no doubt about it – we are firmly cemented in the Digital Age. And in this age, where data breaches and cyberattacks are as prevalent as mobile banking and contactless payments, credit unions find themselves at a crossroads. With our deep-rooted commitment to the security of our members’ information and the trust of our communities, one question looms large – is cyber liability insurance really worth it?

Let’s consider the cybersecurity landscape for a moment. Based on statistics from our partners at DefenseStorm, a credit union has the potential to encounter around 90 million cyber threats in a single day. And from those threats, we can see that both frequency of attacks and the costs associated with them continue to grow. Their data shows that cybersecurity breaches have increased 17 percent year-over-year since 2021, and the average cost of a single data breach has now reached approximately $4.5 million.

Then there is the added challenge of artificial intelligence (AI) and its role in cyber schemes. This particular topic has become a major part of cybersecurity discussions among international governments, as well as cyber insurance providers. In fact, the potential threats that AI poses, among the uptick in attacks in general, are changing the way insurance companies are performing their underwriting process to account for both proactive and reactive policies – not just proactive. That’s because they know the incidence of a cyberattack coming is no longer just a possibility, but a certainty – a question of when, rather than if.

It’s proof positive that cyber threats are evolving and regulatory pressures on cybersecurity are mounting, making the decision to carry cyber insurance that much more important to your organization. It could truly mean the difference between safeguarding your institution’s reputation and facing significant financial, reputational and operational losses. With that in mind, let’s explore the complexities and foundational components that make cyber liability insurance a critical piece of your risk management infrastructure.

What is Cyber Liability Insurance?

Cyber liability insurance is a policy that provides financial and operational protections for businesses that experience a catastrophic cyber event. According to a 2020 Cyber Claims Study by NetDiligence, a cyber risk readiness and response company, the four types of cyberattacks that led to the most cyber liability claims included hacking, social engineering, business email compromise and ransomware – all of which we’ve seen plenty of in the financial industry.

Why Have It?

Think about the impact of any of those attacks – what would happen to your credit union? Would your bottom line and reputation take a hit? Would you face legal ramifications? The consequences could be extremely costly, and having cyber liability insurance is a way to not just ensure you have the resources to recover some, if not all your losses, but also provide peace of mind for your credit union and your members.

What Does It Cover?

As with any type of insurance, policies vary. But overall, cyber liability insurance can include coverage for:

• Financial Losses and Expenses – You might experience a loss of income due to business interruption or you could be subject to legal and/or regulatory proceedings following a cyberattack. Recouping those costs is a critical piece of this insurance.
• Response Actions – If a cyber incident occurs, there are many steps in the recovery process. Notifying members, providing credit monitoring services, regaining access to locked systems and ramping up public relations efforts are just a few of the things your credit union will need to do in response to the fallout.
• System and Data Recovery – In the event of a ransomware attack or data breach, you may have to pay for outside expertise to help your credit union regain access to your systems or restore data. These costs may be covered by cyber liability insurance.
• Crisis Management – Cyberattacks, and especially those that are member-facing or of a larger scale, require serious crisis management. Cyber liability insurance provides support for handling the public relations aspect of recovery, from media management to communications strategies.

What Questions Should You Be Asking?

It’s important to note that your credit union must do your due diligence when shopping cyber liability policies. Ask questions, do your research and know exactly what your policy will cover so you don’t uncover any additional roadblocks after a cyberattack has already happened. Good questions to ask might be:

• What costs are covered?
• How much will our premium be?
• How much is the deductible?
• What are important exclusions and limitations to note?
• What specific risks are covered and what are add-ons?
• Does the policy cover third-party liabilities?
• How does the policy address regulatory penalties?
• What support services are included?
• What does the claims process look like?
• Are there preconditions that must be met?

A Perfect Complement to Your Cybersecurity Program

Some of the criticisms of cyber liability insurance – and the reason your credit union may be questioning whether cyber liability insurance is really worth it – are costs and limitations. This type of insurance is known to be quite costly, especially as we’ve seen premiums go up rapidly in the past few years. The rise in costs is related, unsurprisingly, to the growing frequency of cyberattacks, which means more claims are being submitted and paid out. However, there is a way, at least to some degree, to offset your associated costs and your dependence upon cyber liability insurance, and it might be more straightforward than you think…having a robust cybersecurity program within your credit union.

It may seem like a no-brainer, but the more prepared and protected you can be from an internal standpoint, the more likely you are to have better options and lower premiums when searching for external cyber liability insurance. If your credit union dedicates effort, time and people to the implementation of a cybersecurity program that includes periodic risk assessments, consistent monitoring, clear and compliant policies and procedures, access controls, network security (such as firewalls, anti-virus software, patch management, etc.), data encryption and backups, incident response plans, security awareness training, vendor management and so on, your chances of experiencing a substantial cyber incident are less than institutions that do not. In addition, if you already have these defenses in place, you may not need to rely as heavily on your insurance policy to quickly recover, making exclusions and limitations less daunting.

Simply put, a strong cybersecurity program is a necessary foundation, and a cyber liability policy provides the perfect complement for well-rounded cyber protection.

Worth It or Not? Yes!

While there are many considerations when determining if your credit union should have cyber liability insurance, we believe the pros outweigh the cons. Yes, it is worth it to have that extra layer of protection in this Digital Age where cyberattacks only continue to increase. Yes, it is worth it to pay for a policy that can safeguard your credit union’s operations and reputation in the event of a cyber incident. If you’re sitting at this crossroads, it’s important to recognize that, combined with a strong cybersecurity program, cyber liability insurance is a key piece in upholding the integrity of your credit union’s overall risk management strategy.

John Cuneo works as the VP of information security for Vizo Financial Corporate Credit Union. In this role, he conducts incident response planning and testing, security awareness training and information security policy and procedure reviews. Mr. Cuneo also delivers tailored consulting services to credit unions, assisting them with their specific information security needs.

Erin Doan is the VP of administration for Vizo Financial. Her role involves oversight of administrative support services for the Corporate's president/CEO, board of directors, committee members and other executive staff. She's also responsible for developing and implementing diversity, equity and inclusion (DEI) and community involvement strategies and programs that foster an environment of inclusivity and collaboration amongst staff, business partners and natural person credit unions.