Why do smaller banks lean on Silent Cyber?

Walid Youssef, Deputy Head of Financial Institutions for Travelers Europe, explains how the evolving cyber risk landscape is leaving these institutions more vulnerable to cyber-attack.

Big banks have been buying dedicated cyber insurance for years. But unfortunately, this cover is tougher to sell to many small- to medium-size financial institutions. This hasn’t been true for professional services like law firms or engineering companies of different sizes. So why are smaller banks different?

They often assume they are sufficiently protected by “silent cyber” – the potential cyber protections contained within a traditional insurance policy. Although these policies are designed to cover non-cyber aspects of a business, a policy holder might still rely upon them to pay a cyber claim. For instance, a professional indemnity or civil liability policy might help cover cyber claims. But using cover in this way weakens the overall safety net, leaving less money available for what the policy is designed to protect.

What’s more, even if traditional insurance is used to cover a policyholder’s cyber breach, it often will not cover all costs associated with the event. A liability policy might cover a claim for a liability resulting from a privacy breach, but it won’t cover the costs of notifying individuals as required through GDPR, or of the IT forensic work a business would require to determine the extent of their breach. These post-breach services are often where cyber policies prove their value because the minutes and hours following a breach are the most critical in helping a business get back on track. Such support is central to stand-alone cyber policies but is not found in traditional cover.

Increasing awareness of the risks

It isn’t just the insurance industry pointing out these gaps in cyber protection. The UK government’s 2022 cyber security incentives and regulation report confirms that businesses are not going far enough to protect themselves from a breach or attack. The consequences are damaging: Among the 39% of businesses that identify breaches or attacks, one in five lose money, data or other assets. A cyber prevention framework that includes dedicated cyber insurance can help a business contain those losses and eliminate gaps in cover. As cyber risks evolve and financial institutions become more interconnected, having this protection will be increasingly important.

Some areas of the industry still have a false sense of security. As part of a regulated industry, financial institutions have generally had better cyber controls than businesses in other sectors – and a longer history with them. The financial services industry hasn’t been hit with as many ransomware claims as other industries have experienced in recent months. When the industry as a whole has yet to experience significant claims, it can be challenging to prove the value of standalone cyber insurance.

But the landscape is shifting. Ransomware, for example, started with stealing information but is now about preventing access to the insured’s critical systems, threatening to publish confidential information, and demanding multiple ransom payments in the process. The stakes are getting higher and businesses need a future-focused mindset when it comes to protecting against growing cyber risks.

As cyber threats evolve, so will insurance protection. Lloyd’s have previously voiced concerns that silent cyber poses unexpected risks to insurers’ portfolios, which will require insurers to take active steps to reduce ambiguities. We’re following the risk environment carefully so we can best support our broking partners in helping clients reduce the threats their businesses face.

The information provided in this document is for general information purposes only. It does not constitute legal or professional advice nor a recommendation to any individual or business of any product or service. Insurance coverage is governed by the actual terms and conditions of insurance as set out in the policy documentation and not by any of the information in this document