"I bear no grudges. I have a mind that retains nothing." Bette Midler
Although it is old news, the confirmation of Richard Cordray as Director of the Consumer Financial Protection Bureau saves CFPB from some uncertain times. However, it guarantees that the financial service business will continue to face the certainty of more regulation.
As most business people know, there has been an increase in credit union "member business" lending. At least one, and possibly more, New Mexico credit unions are not subject to the limit on business loans of 12.25% of total assets. They have taken advantage of the NCUA's "low income designation" which permits a credit union with more than 51% low income membership to be exempt from the statuory asset cap on business lending. Indeed, in one case, a New Mexico credit union, New Mexico Educators Federal Credit Union, just made a sizeable loan for the purchase of the Albuquerque Downtown Hyatt and reportedly has made sizeable loans for other business purposes. The credit union is reportedly one of the 2000 credit unions nationwide who have recieved the NCAU low income designation. To the author's knowledge, no state chartered credit union has recieved the low income designation, which must be approved by the state Financial Services Division Director.
Often the most sophisticated security system can be hacked if not frequently updated and checked by good IT security personnel. The criminal computer minds who operate in the cyber shadows can by-pass or invade passwords and other fancy FINCEN requirements.
What do you do? Well, first you should have a competent IT staff well versed in all areas of internet security. But, suppose that all that effort fails on one day and one of your customer's payroll accounts is drained of funds. She does not notice the loss until five days later. Despite your best efforts, the customer sustains a significant loss. Or, for example, a rogue employee takes confidential customer information covered by Gramm-Leach-Bliley's privacy provisions from your system and puts it on his hard drive. He may sell it or just keep it, but you may not be able to discovery what he did with it. (In my experience an overworked and sequestered F.B.I. may not help you at all).
In the first example, your general liability policy may not cover the claim. Your professional liability E&O policy may not cover the claim. Advertising and personal injury coverage may be triggered, but that is not certain. You can be certain of coverage only if you have legal counsel review your policies, in conjunction with your insurance agent. Is this worth it? If you suffer a hacker attack and your customer loses $500,000, the litigation cost and reputational risk will make that advance review cheap by any measure. Plus you may find you have other insurance.
In the second example, there is very little chance that the reputational damage, the remediation cost (cost to notify customer) etc., the damage to the data on the system, etc. will be covered by any policy except a Cyber Risk Insurance policy. Any bank should explore Cyber Risk Insurance in this era of cyber crime.
When the coverage surfaced in the last decade it was spotty and claims adjusting was imperfect. In one case, in which the author was consulted, the bank was subject to a rogue employee invading the system and engaging in identity theft. The bank engaged in remediation to customers concerning any loss and gave customers notice that they could have free identity theft protection for a year. However, the claims process was so tedious and expensive to collect that the bank gave up--the cost of meeting picky insurance demands for data exceeded the remediation cost. Since then the claims process has improved.
In many reports of identity theft, plaintiff have filed class action suits with signficant recoveries. However, bankers should be aware there is no private right of action to sue for breach of the Gramm-Leach-Bliley privacy provisions--a data breach alone may not expose a bank to litigation. However, if the identity theft results in monetary damage to the customer, a customer may have a cause of action for the loss. Most bank litigation involved to date, involves identity theft in cases where the hackers were able to invade accounts or ATMs and cause monetary loss.
With the right Cyber Risk policy a bank can be covered for data loss, hacker vandalism (not a small risk),remediation, failures of technology or security systems, slander or libel (may be covered elsewhere as well), cyber extortion, and customer loss of funds. A good insurance agent can insure that your Cyber Risk Insurance fits in with the other coverage you have and to avoid needless costs or over-coverage (although most knowledgeable lawyers would doubt you can be "over-covered").
You may find that you do not need Cyber Risk Insurance. However, if you do, find out now and not when you have a claim.
My thanks to Charlie Wheeler of Hub International for information on current Cyber Risk Insurance.
Do good.
MARSHALL G MARTIN
Comeau, Maldegen, Templeman & Indall, LLP
505-228-8506 (cell)505-982-4611
No comments:
Post a Comment