Kelly Coughlin:

Greetings, this is Kelly Coughlin. The Blind Hen. A Hen who had lost her sight and was accustomed to scratching up the earth in search of food, although blind, still continued to scratch away most diligently.  Another sharp-sighted hen who spared her tender feet, never moved from her side and enjoyed, without scratching, the fruit of the other’s labor.  For as often as the blind hen scratched up a barley corn, her watchful companion devoured it.

 

Announcer:

Kelly Coughlin, CEO of BankBosun, a management consulting firm helping banks C-level offices, navigate risks, and discover reward. He’s the host of the syndicated audio podcast bankbosun.com.  Kelly brings over 25 years of experience with companies like PWC, Lloyd’s Bank, and Merrill Lynch.  On the podcast Kelly interviews key executives in the banking ecosystem to provide bank C-suite offices risk management, technology, and investment ideas and solutions to help them navigate risks and discovery reward.  Now your host, Kelly Coughlin. 

 

Kelly Coughlin:

Greetings.  This is part two of my interview with Kris St. Martin, a bank cyber security expert at CBIZ.  In part two, we will talk more about what drives premium costs and once a bank experiences a cyber intrusion, then what are the actual types of costs the bank can insure and how to make sure these costs are recoverable in an insurance claim.  I finished part one by asking Kris about how a bank should go about determining the maximum claim liability.  Is it based on records, revenues, business lines, and ultimately, what can a bank do to manage and reduce the premium costs with good internal cyber risk management controls implemented and utilized at the bank.  Here is what Kris had to say about that in part two.

 

Kris St. Martin:

Because of the number of records, you can fairly well quantify the physical costs to deal with a breach. Those types of costs, if you’re hit with a breach, time really is of the essence.  You want to be able to get as much good, accurate information as to what happened, did it trigger your state data breach law as quickly as possible because if you go back to Target again, one of the things that they learned in the litigation and heavily criticized for reputation.  In fact, my family, we all have debit cards at our local bank and we have a Target about three blocks away.  So I always remember these dates, because it affected us.  They really came out public and our bank had offered debit cards two days before this special breach happened and they identified it because in early November.  So they took well over a month to month-and-a-half, to actually notify the world that there was a breach.  Looking at the costs, the cost part of a breach is going to be the initial forensics, legal consultation, so if initial forensics say this was indeed a breach, then you go to your legal representation, did this breach trigger the state’s data breach laws?  Everybody’s a little bit different.  They’re all state driven, but more similar than different.

 

The second part is you go to your attorney and you say here’s our data, here’s what happened, did that trigger the breach?  Well, these are expenses that are accumulating.  Then, if it does, you need to notify in writing and send compliance letter for all the people involved.  Then, you need to handle their calls and inquiries along the way.  They’re going to call in from that letter and either you do it in house or you set up a data center for that, train the people in the data center for those phones or your own employees, and then you need to offer one year of credit monitoring, and there’s a cost for that.  That’s kind of all your costs that are generally, somewhere, at least $30 per record and often times I’ve seen other studies saying going up to $100 per record.  That’s fairly quantifiable, based on how many records you have.  What’s much more tough on the limits is going to be, based on the data that’s been breach, who’s going to sue you and why, and what harm are they going to say you have caused. That becomes more much difficult to quantify.  Along those lines we deal with banks all over the country and as we’ve been renewing cyber policies, this has now become a regulator/board-driven type of thing.

 

We’re routinely having banks come to us at renewal time and saying we want more liability just because of the unknowns out there.  So, what’ a good number?  It’s really hard to say.  There’s peer numbers that different services put out including Travelers puts out peer numbers for cyber liability.  We’ll throw our customers a couple of what their peers for the different pricings will be as a point of reference and then try to have a discussion on what type of information do you hold in the bank and how is it held, and start talking through kind of worse cast scenarios, if they lost some of that information, and who would be armed the most.  You try to massage the peer numbers from there, but like I think anything in risk and insurance, you really—you can’t necessarily observe for the absolute worst scenario, but you try and pick a number that will largely cover most of the occurrences along the way on a probability basis.

 

Kelly Coughlin:

Kris, you mentioned earlier that theft of funds gets covered by another type of risk mitigation tool and then you also mentioned that business interruption for a bank isn’t very high, because it’s not like there’s a bunch of transactions that come in if there’s interruption of service.  So what are the main costs drivers a bank can look at in determining how much coverage they need?

 

Kris St. Martin:

That’s a very good question and on the cyber side, certainly the number of records.  That’s going to be the biggest driver to look at on the cyber side.  We have banks that are also involved with card programs.  There can be other services that they provide very actively that involves the flow of personal information and vendor partner information.  That can provide another element of risk there versus the standard just checking and savings accounts and loans, and CDs type of business.  It could be a smaller bank that do very large wire transactions.  Another thing to look at is the size of transactions that you’re doing electronically.  There’s other banks that might be bigger that just do a series of very small transactions.  They may not need as big of a theft limit.  Those are things that underwriters as far as pricing a policy, are going to be looking at too; size of transactions, third-party vendors that you might be associated with, with special programs with the added element of risk of other people holding your data.

 

Kelly Coughlin:

When a bank experiences a breach, what are the costs that the bank has to absorb?  You mentioned the theft of funds, that’s covered by a bond.  There’s probably no business interruption costs or very minimal.  What costs normally accompany a cyber breach?

 

Kris St. Martin:

Well, in a cyber breach, let me kind of walk through what happens.  Somebody in IT is going to come to a CFO or some C-level executive and say, “Hey, something happened, we’re not quite sure what it is, but we’re concerned and we need to dig into this thing.”  The first thing you would do is try to go with an outside forensic partner who specializes in this type of thing and start digging it in with your IT group, and say, “Okay, exactly what was breached and is there a pretty high probability that all or some of our records are involved with that?  There’s a cost for that, for your forensics.  Once you get through that, you would bring that information to an attorney and I would highly recommend somebody who specializes in data breach law.  Say here’s the facts of what happened and how does that relate to our state’s data breach law, did it trigger that law, do we now have to go down the steps of notification and all the remedies that are built into that law.  There’s legal fees there.  Then, if the attorney says you did breach the law then you’re going to have to do a letter or a series of letters, emails, so on, out to your clients notifying them of a breach and then in there is going to be an offer of call us for more information.  Many times, it’s a separate call center service used.  There are those that specialize in data breach call centers and there’s an expense for that.  Also, most states, if not all, are going to require, if you did trigger a data breach law, that all of the people affected are going to be offered credit monitoring for one year and there’s a cost to the credit monitoring.

 

This type of expense can be around $30 to $100 per record.  Banks may choose to do some sort of PR campaign, which often times happens with breaches in many industries.  There’s expenses of hey, we need to do some local newspaper advertisement.  We need to do some more letters to our clients.  We need to get on local TV or advertisements.  Basically, they put a message out there that this happened, we’re sorry, we’re on top of it, and we’re going to be better because of it.  Whatever your PR message is that you’re going to want to try and mitigate the damage under your brand.  Those are additional expenses that can come along the way before you even get to the liability side of who’s going to sue us.

 

Kelly Coughlin:

Okay.  I’m going to list those again.  You’ve got: 1. A forensic partner; 2. Attorney costs; 3. Notification costs, notification of customers; 4. Maybe a call center; 5. Credit monitoring; 6. Reputation remediation. Are all of those insurable?

 

Kris St. Martin:

Yes and that’s part of making sure your insurance policy contains all that on the front side.  There’s really kind of a couple of ways that the breach expenses can be handled.  One that’s just more common is you’ve got a million dollar limit to handle A, B, C and D, and you’ve got to go out and find your partners, and you’re on your own, and we’ll reimburse you.  What we’re seeing is more and more of these insurance carriers providing some sort of data breach service as part of the policy and that’s been very well received in the banking world.  Now, you have to kind of wind through scenario again.  Instead of calling an outside forensics person, your first call under one of the policies that’s very common out there, is to call the insurance underwriter data breach manager and he assigns a case manager to it, and they start—that case manager stays with you through the whole time of the process.  They either have in-house services or they have third-party partners that they can immediately get you to.

 

The value of that versus a limit, one of the things, going back to the regulators, the regulators are all over the concept of what’s your—they’ve always been good on disaster recovery, the regulators, or at least asking what your disaster overall recovery plan for the bank. Now they’re getting all over where is your disaster recovery plan in the event of a data breach.  Again, you want to make quick access decisions and mitigate the reputational risks that you sat on this information, and get through it quickly and well-organized.  The regulators really like if you just do all those services under your limit then you better show them who your contracted third-party providers are going to be for those services, they’re lined up, they’re ready to go, they can work quickly, and you’ve thought through that whole process of who’s going to do that for you.  There are other policies that you call them and they start walking you through that, and provide a forensic person, they provide an attorney, they can help with the PR, all of that kind of built into the policy itself.

 

Kelly Coughlin:

What advice would you give policy holders when completing their applications for cyber insurance?  Any unique tips, any special tips you’d give them?

 

Kris St. Martin:

Yeah, one very important is to be accurate.  Sometimes these things are onerous and they’re many pages long, but take the time to be very accurate, because if you put a number down, if they’re asking for a number or you answer something that you think, where that could come back to haunt you is at claim time.  They can pull up that application and say you answered it this way, we may not have even given you a policy.  What they’re going to do at claim time, they’re going to look and see if there’s anything, any speedbumps, that would take you out of getting the claim paid.  I’d also say be aware of warranty statements.  This is true, very true for cyber policies as well as all policies.  You need to be aware, often times in the applications themselves, they will say some statement like is there anybody in your organization aware of any circumstances that could lead to a claim under our coverage? If you have 500 employees, there’s no way you can say yes to that with any assurances and again, it could come back and haunt you at the claim investigation time.  So pay attention to warranty statements.  There are ways to modify those statements or eliminate them.  Then again, I mentioned this before, but pay attention to the thought behind the question on the application.  There are good reasons for asking for them and use that as maybe an excuse to go back and review your own procedures.

 

Kelly Coughlin:

Okay. I know you’ve been in this business a long time and you have a terrific reputation, so congratulations on that.  Is it fair to say that your objective is to help your bank clients get the coverage and not trying to help the insurance carrier avoid a claim?

 

Kris St. Martin:

Right.  Right.  What I always tell my clients is we’re going to sell the best, but accurate story to the insurance underwriter.  We’re not going to hide anything.  We’re going to give them accurate information and then they make their decision whether to insure or not.  From that point, when it comes to claim time, there’s two parts on the claim.  One is on the front end of it, when we give all the information to the insurance underwriter, they’re going to come back and say here’s our offer.  A good insurance agent, a producer out there, and there’s lots of great ones, you’re going to dive into that.  For example, we’ve developed a 40-point checklist with cyber over years of working with this.  We start, you know, producers should check a number of things in the offer so that when you do come to claim time, you don’t have these speedbumps.  Then there’s just a number of things that you can modify in the wording with the negotiation with the underwriter.  When it comes to claim time, whoever you’re working with for an agency, can be a great advocate for you on claim time.  You’re going to initially put the claim in as a customer copy or agent, but the agent should be in the loop the whole time, and aware of any objections that the claims adjuster is going to have, when it comes to the client. The agent has a really usual business dual role. They have a legal obligation both to the carrier and to the client, but they’re different obligations to each.  Claims is one where we really work with the client just to make sure they’re well advised on whether or not that’s a reasonable denial, if it’s a denial, or it might be something that they should talk to their attorney about and do a little bit more legal research on.

 

Kelly Coughlin:

Let’s talk about pricing a bit.  How flexible and negotiable are the terms of a cyber policy?

 

Kris St. Martin:

Like any policy, there are certain things that are just absolutely industry things.  But there are a number of things that are different and negotiable in a cyber contract.  Just a couple of quick examples, data breach on loss of information in one policy can be defined, for example, as electronic information loss.  What you want in the contract is paper information or electronic.  These things are negotiable with the carrier, often times.  A number of fine-print type of things.  Another example is some policies will pay on a ransom letter, for example, and then the definition will say we’ll pay out in US dollars.  Most ransom letters are requesting bitcoins.  Another dot that’s on our checklist is going to be make sure that the wording says US dollars or bitcoins that they can be paid out in.  Most of these types of things, the carriers are fairly flexible, but some cases, they’re not going to proactively do that.  They give you often times, the standard type of contract form and approval.  There’s room to be negotiating a premium.  We’re talking maybe 10% latitude, if it’s a good agent can build a case for the risk.  There’s some room in premiums, but a lot of room in the terms and conditions.

 

Kelly Coughlin:

Back to that internal control continuum of one being nothing, five being great internal controls, is there negotiable room if the bank can build the case saying hey, look, our internal controls are four and five, you shouldn’t be pricing this at a three. Is that an area that’s negotiable?

 

Kris St. Martin:

Absolutely.  Absolutely.  It’s all claims related.  Example is like worker’s comp insurance, there’s a lot of loss prevention that carriers very proactively get involved with, with certain industries if there’s a lot of injuries.  If there’s a lot of claims in the cyber area, you can count on the carrier getting much more proactive in not only just asking the questions, but it might dig a whole lot deeper.

 

Kelly Coughlin:

One final question I have is, any tips, tricks, or traps when making a claim that we should be aware of?

 

Kris St. Martin:

Well, I’d say first when you’re looking at how claims are going to be handled, you want to do as much work as you can before you have a claim. We’re big proponents of things we’ve talked about here with procedures and all the preventive types of things.  In the insurance world, the preventive type of thing is one, make sure you pick a carrier that has a great reputation in the area of insurance that you’re talking about. That’s important because they’ve been there for a while and have a good claims paying history, and just a general reputation.  Secondarily in the prevention on the insurance side is make sure your policy is looked at by somebody who writes a lot of cyber insurance in this particular case, and knows the speedbumps that you’ve got to address, that are going to give you a problem at claims history.  Some of the wording, the definition, those types of things.  Lastly, you want to make sure that you have your agents intimately involved with that, because they’re going to be a strong advocate of you when it does come to claims time.

 

Kelly Coughlin:

Great.  That’s perfect. I will say, this podcast isn’t designed to be an infomercial for you or for CBIZ, but I am going to put a plug in, because I have some experience with you guys and some of your carriers, and I’ve been so impressed with how you are working with the community banking and regional banking market that I think the service is terrific.  I’m totally committed to helping banks manage this cyber risk because as I started it out, I think it’s a problem.  Community banks are in the crosshairs of these bad-guy cyber pirates and they need all the help they can get in preventing attacks and breaches. I applaud you for your great work.  I think I’ve finished the questions that I had, Kris.  Is there anything else you wanted to add that we didn’t get?

 

Kris St. Martin:

You know, only that another big topic out there is this third-party vendor. That’s probably a subject for a whole different thing that the regulators and just good business practice is really pushing hard down the road of okay, so your data processor is Fiserv, what do you really know about them?  Or your IT guy is XYZ, what do you really know about them, their procedures, their insurance?  It’s a whole other kind of layer to this that’s opening up as a third-party vendor that you as a business or bank are using.  Besides that, no, I just wanted to thank you a lot of the opportunity.  It was fun to do and really honored that you thought enough of us to pull us into one of your podcasts.

 

Kelly Coughlin:

Well, yeah, I appreciate it.  I would like to follow up with another podcast on third-party vendors and the due diligence required.  Let’s put that on the calendar.  Kris, I really enjoyed it.  I wish you the best.  Keep up the good work.  Enjoyed talking to you.

 

Kris St. Martin:

Thanks, Kelly.  Thanks so much.  Talk to you soon.

 

Announcer:

We want to thank you for listening to the syndicated audio program bankbosun.com.  The audio content is produced and syndicated by Seth Green, market domination with the help of Kevin Boyle.  Video content is produced by The Guildmaster Studio, Keenan Bobson Boyle.  Voice introduction is me, Karim Kronfil. The program is hosted by Kelly Coughlin.  If you like this program, please tell us. If you don’t, please tell us how we can improve it.  Now, some disclaimers.  Kelly is licensed with the Minnesota State Board of Accountancy as a Certified Public Accountant.  The views expressed here are solely those of Kelly Coughlin and his guests in their private capacity and do not in any way, represent the views of any other agent, principal, employer, employee, lender, or supplier.