The vast majority of credit unions in the U.S. don't have adequate insurance coverage in the event of another online data breach.
Considering the recent number of high-profile data breaches, it is "amazing that today only about 20% of the credit unions out there have a cyber policy," said Jim Hunt, a staff underwriting specialist in CUNA Mutual Group's credit union protection area.
Indeed. The last 12 months have "completely changed the kind of coverage [financial institutions] are going to need, because if they were covered for [cyber insurance] under their bankers' liability policy beforehand, you can be sure that the insurers are looking to start excluding that from the coverage and forcing them to buy it as an add-on or stand-alone policy on a going forward basis," said Collin Hite, a partner with the Insurance Recovery Group at Hirschler Fleischer in Richmond, Va.
Hite said that while more traditional insurance policies for FIs may have "a modicum" of cyber protections tacked on to them, "it's going to have such low limits that if you don't go and really look at it to make sure it's a true cyber policy for your level of risk, it's probably not worth very much if it's just tacked on to the bigger program."
Hunt said that while the NCUA does not require credit unions to carry cyber insurance, the agency "is doing some testing in their audits."
"They're not requiring it," he noted. "But just by what they're doing in some of their audits you can tell that they're looking at getting some kind of procedure out there that says 'Here's what we require for cyber-type risk.' When that will come, who knows, but I think that's inevitable."
Industry experts note that the recent high-profile data breaches have also revealed a number of new areas of exposure that haven't historically been covered by credit unions' insurance policies.
"Cyber insurance coverage is still, in the broad scheme of things, a very new product," said Jake Olcott, a principal with Good Harbor Security Risk Management LLC. "The underwriters are still trying to work out the scope of coverage today and also write new policies to expand coverage in the future. We don't have thousands of years of history like we do about floods and fires and earthquakes. This is a completely different animal."
Even CUNA Mutual Group-which holds the lion's share of credit union insurance policies (it estimates it holds as much as 18% of the 20% of total credit unions covered with cyber insurance)-has changed its coverage in recent years.
And though cyber insurance has existed in some form for the last 15 years, said Hunt, it has grown significantly in the last five years, with CUNA Mutual making revisions to its coverage in the last few years to include liability coverage for when a credit union is negligent, as well as first-party coverage for expenses that come out of the CU's pocket in the event of breaches like the one at Target late last year.
"What the insurers are trying to use in the new cyber policies is to make sure they're developing a product that actually covers the risks that cyber data breaches bring to the table," said Hite, noting that first- and third-party coverage can often be combined in cyber insurance policies in ways that it normally can't be in more traditional insurance offerings.
While CUNA Mutual estimated that as much as 80% of CUs may not be covered, many said that there is no particular asset class of institution that is more or less protected than others.
"It's just a matter of how sophisticated is the board of directors and how attuned to these issues they are and seeing it as a concern for them," said Hite. "It's really only in the last year or two that even the Fortune 1000 company C-suite executives started to look at cyber as a major risk for them and started taking it a lot more seriously."
One factor that may be just as important as whether or not an institution is insured, said Olcott, is whether its executives view cyber security as part of enterprise risk management.
"The bottom line is that a highly sophisticated attacker can successfully penetrate an enterprise network today. Period," he said. "There is no example of an iron-clad corporate enterprise or government network or anything like that. Even the NSA-which everybody thinks of as the most advanced and sophisticated enterprise in the world when it comes to security-lost 1.5 million documents. And they're pretty locked down."
Despite the higher profile threat in the last year, however, CUNA Mutual said that the cost of cyber insurance has not gone up.
"We've seen decreases in premiums as long as the credit union has the protections they need, such as encryption of data at rest and while working," said Hunt, adding other requirements such as hard-to-crack passwords and built-in protections on the CU's website.
Looking beyond CUNA Mutual at the larger world of insurance, Hite noted that the overall cost of cyber insurance is on the rise, "but the product in some respects is getting better" as insurers continue to test different products and tweak their underwriting criteria.
"Costs are starting to tweak up because Target maxed out their coverage," he said, adding that he suspects Home Depot likely maxed out its coverage or came very close to it. "That starts forcing underwriters and insurers to look at risk and price it more accordingly."
A Bigger Threat?
Every source interviewed for this story said that despite the fact that data breaches at retailers had the bigger impact on CUs this year than breaches at the credit unions themselves, the possibility of being a victim in a breach is still the greater threat than fallout from a breach at a merchant.
"The hackers and the people out there, the malware, you name it-they'll go after the low-hanging fruit," said Hunt. "They don't care if they're for- nor not-for-profit organizations. If they're easy to get to, they'll go after them.
Hunt's colleague at CUNA Mutual, Mike Hoover, noted that according to PrivacyRights.org there have been more than 240 data breaches reported so far this year, but "my guess is that the actual number of breaches is significantly higher."
Hoover said the numbers put forth by PrivacyRights.org are only a conservative estimate, because many states do not require breach reporting.
"There is clearly an effort underway to shift responsibility and financial burden [to the merchants] for those breach incidents," said Olcott. "It's impossible to prognosticate how those things will turn out, but I suspect that in the future those that were the source of harm are going to be the ones that end up shouldering most of the costs."
Olcott suggested that smaller institutions may soon be able to enter into arrangements wherein they buy down their own risk, purchasing insurance policies "that would pay a smaller premium that might cover them during a breach incident that affects a third party like a retailer. I can see a situation like this in the months and years ahead, for sure."
Are CUs Safer?
With the high profile cyber security has had in 2014, are credit unions actually any safer?
Probably not, say industry experts.
"This risk always existed," noted Olcott, "but people weren't always paying attention to it. Now everybody knows it's a problem and everybody is engaged in it, but it's definitely going to take a lot of time to get things to where everybody wants them to be."
CUNA Mutual's Hunt noted that even the White House computer system was hacked in October, "so I don't think there's anybody who's secure enough," he said. "I would never point a finger at credit unions and say they aren't secure enough. There are some who need to have more security, but I think the majority of credit unions are working very hard to be as secure as possible. But that doesn't mean you can't still be hacked."