By Roy Urrico
A perfect storm of massive data exposures, new NCUA breach reporting requirements and consumer concerns could create a liability susceptibility for credit unions. However, an Eagle-Idaho based captive insurance plan administrator entering the financial services space offers a solution to close the gap in coverage.
“We are really here to fill in the gaps in coverage that traditional insurance has when we talk about cyberbreach policies,” said Dustin Carlson, an expert in cybersecurity insurance and president of SRA 831(b) Admin (SRA). He added, traditional insurance typically excludes incidents caused by employee mistakes and not following proper procedures when a cyberbreach does happen. “And that is where we come in, we want to fill in those gaps in coverage and allow business owners to have that safety net at the end of the day when something like a cyberattack does happen.”
Carlson described how his firm, SRA 831(b) Admin can help credit unions (and other businesses) take advantage of a section of the tax code that refer to 831(b) accounts. “A 401(k) lets you defer taxes on your income in order to save for retirement. Whereas 831(b) allows you to defer taxes on your income in order to save for a rainy day to set up a reserve of funds tax deferred to tap into that when something like a cyber breach affects your business.”
Breach, Ransomware Fallout Threaten Organizations
Given the growing number of cyberthreats it may be only a matter of time for credit unions, and other small and midsize (SMB) businesses considered, to have their liability coverage tested. Especially given the recent discovery of the “Mother of all Breaches” (MOAB), comprising over 26 billion exposed records; and the Identity Theft Resource Center (ITRC) revealing a record-setting 3,205 breaches, impacting an estimated 353,027,892 victims in 2023, with financial services among the most compromised industries.
According to the National Association of Insurance Commissioners (NAIC), protection against cyber-attacks continues to be important for businesses, and small businesses are no exception. in its latest study issued in November 2023, NAIC found since 2022, small businesses have experienced a 28% increase in cyberattacks. Woodruff Sawyer’s annual survey of cyber insurance carriers found all underwriters surveyed believe cyberrisk will increase in 2024 with ransomware remaining the most significant threat as 63% ranked it their No. 1 threat for 2024.
A lack of, or a delay, in reporting incidents created some fallout. As a result, beginning on September 1, 2023, all federally insured credit unions must notify the NCUA no later than 72 hours after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.)
Two recent cyberbreaches resulted in members filing class action lawsuits in 2023 directly against their credit unions over exposed non-public personal information (NPPI) and the delay in notification about the breach. The Ventura County Credit Union received two class action lawsuits over a 2022 cybertheft of data from up to 82,000 customers and employees. In addition, members of the HawaiiUSA Federal Credit Union in Honolulu filed a federal lawsuit over 2022 data breach that impacted more than 20,000 persons.
Coverage Harder to Get
The NAIC survey found that 28% of smaller companies were denied coverage, compared to just 8% of large companies. The survey also found an increasing list of exclusions that could make cyberinsurance coverage void, including lack of security protocols (43%), human error (38%), acts of war (33%), and not following proper compliance procedures (33%).
Small businesses are primary targets, as they typically spend less on security, making it easier to hack into the systems. “(Cybercriminals) realized in small to mid-sized companies, like a credit union, that they are easy targets. large corporations have a lot of resources to protect themselves against data breaches,” said Carlson. These include prevention procedures, what to do after a breach happens and how to mitigate the damages. “Whereas small, mid-size companies do not have those resources. And so, they do make an easy target for cyber scammers.”
According to a survey from Digital.com, 51% of small businesses do not have cybersecurity measures in place. “Credit unions are a prime target because they are small/mid-size businesses. They may not have the resources to have those protections up front to prevent attacks,” Carlson noted. “Cyber scammer knows there is very valuable information to hold ransom. They need that insurance in place for when that does happen to mitigate that risk and keep their business afloat.”
Covering the Gap
Carlson pointed out there is a multi-industry issue regarding cyber insurance. “Insurance companies, do not have enough data points to really understand what is the potential risk for cyber liability. They cannot quantify a risk; they cannot price it properly. And so, the approach they are taking is we are going to put significant limits of on cyber insurance, we are going to have sub limits within the policy.”
Carlson further explained the exclusions are for situations such as not following proper procedures, employee mistakes, and not notifying the insurance company in a timely manner. Traditional insurance companies, he added, are trying to really restrict the coverage so that they are protected and do not have an exorbitant number of losses. “They face as much financial risk writing the policy as the business does at the end of the day.”
An SRA 831(b) Admin policy allows the credit union (or business owner) to set aside tax deferred funds to address these risks that a traditional insurance may not cover. “So, if, if the worst does happen, you can turn to something if your frontline insurance company doesn't cover it,” said Carlson.
The credit union, through SRA 831(b) Admin, controls the 831(b) plan. “They are filing a claim to my company. We are the administrator of the plan. We are going to go through the proper process and procedure to verify the claim, verify the loss. But none of that is public data. That remains confidential,” explained Carlson. He added, “The claim comes out of your 831(b) plan and into the operating company to reimburse for expenses that happened because of the cyberbreach or if you did pay a ransom. It works a lot like your ordinary insurance. It is just that you are ultimately in control of the funds within that plan.”
Carlson said “Ultimately what we are providing is your 831(b) plan allows the business owner to build a reserve of funds for the risks that are underinsured or uninsured by their traditional insurance.”