Your bank has a cyber insurance policy. It’s on the books. The premium gets paid. The board sees it listed in the risk management report.
But when was the last time anyone checked what your cyber policy actually covers?
I review cyber policies for clients across the country, and the most common reaction I get from bank leadership is some version of: “Wait, that’s not covered?” The problem isn’t that community banks buy bad policies. It’s that cyber insurance was originally designed for companies that store data and operate a single network. Community banks do something more complex: they hold customer financial data, process transactions, move money, depend on multiple third-party vendors, and answer to multiple regulators. That’s a different risk profile. Your cyber policy should reflect it.
Here’s how to tell if it does.
What Cyber Insurance Actually Covers for a Community Bank
A cyber policy has two sides: first-party coverage (your own losses) and third-party coverage (when someone sues you).
First-party coverage typically includes:
- Breach response costs: Forensics, legal counsel, customer notification, and credit monitoring. Even for a breach affecting a few hundred records, these costs routinely run into six figures.
- Business interruption: Lost income and extra expenses while your systems are down due to a cyber event, after a waiting period (usually 8 hours).
- Cyber extortion/ransomware: Ransom payments, negotiation expenses, and forensic support.
- Data restoration: The cost to recover or recreate data destroyed or corrupted during an attack.
Third-party coverage typically includes:
- Network security liability: Defense costs and settlements when a third party sues because a security failure caused them harm.
- Privacy liability: Claims arising from failure to protect personal information.
- Regulatory proceedings: Defense costs when a regulatory body investigates after a breach. For banks, this matters more than in most industries.
That’s the standard package. For a typical business, it works reasonably well. For a community bank, it has blind spots that deserve attention.
Where Cyber Insurance Falls Short for Community Banks
Wire fraud and social engineering coverage is probably sublimited
Wire fraud and business email compromise are among the costliest cyber threats facing banks. Business email compromise alone accounts for roughly $3 billion in reported losses annually. Banks are in the business of moving money, and attackers know it.
Most cyber policies offer social engineering coverage as an endorsement, not a core coverage. Sublimits typically range from $100K to $250K. If a bank employee is tricked into wiring $500K to a fraudulent account, the cyber policy sublimit may cover half. The fidelity bond may or may not respond, depending on whether the loss qualifies under the bond language.
This is getting worse. AI-generated voice and video can now impersonate executives in real time, and most policy language was written for email-based scams. For a deeper look at how deepfakes are breaking callback verification procedures and widening this gap, see Wire Fraud at Your Bank: Is That a Cyber Claim or a Bond Claim?
Your fidelity bond, D&O, and cyber policy may be pointing at each other
Banks carry fidelity bonds (covering employee dishonesty, forgery, computer fraud) alongside their cyber policies. These overlap in some areas and leave gaps in others.
Social engineering and fraudulent wire transfers are the most common gap. The fidelity bond may require “direct” fraud, someone physically stealing or forging. The cyber policy requires a “cyber event.” A business email compromise scam that tricks an employee into voluntarily initiating a legitimate wire transfer may not clearly fit either definition. The employee was not dishonest. There was no hack. Both carriers can argue it belongs to the other policy.
Directors and Officers (D&O) coverage adds another layer. If the board is sued after a breach for inadequate oversight of cybersecurity, does the D&O policy respond? Some D&O policies now exclude claims “arising from” a cyber event, pushing everything to the cyber policy. But the cyber policy may not cover board liability claims.
Vendor outages may not be covered
Community banks depend on banking platforms, payment processors, and online banking providers. A breach or outage at any one of these vendors can bring operations to a halt.
Scenario: Your banking platform vendor suffers a ransomware attack. Your own systems are fine, but you cannot process transactions, access accounts, or serve customers for three days.
Many cyber policies either exclude third-party outages entirely, sublimit them, or require a “security failure” at the vendor. A configuration error, a failed update, or an operational failure at the vendor would not qualify. Your bank loses three days of operations, and the policy does not respond.
Ransomware coverage has three hidden traps
Ransomware is now a factor in the majority of cyber insurance claims, and financial institutions are among the most frequently targeted industries. Three things to check:
Your policy may say "$2M cyber" on the declarations page, but ransomware/extortion may be capped at $250K or $500K in the endorsements. If the demand exceeds your sublimit, you are paying the difference.
Most policies exclude ransom payments if the attacker is on the OFAC sanctions list. Banks deal with OFAC sanctions in their day-to-day compliance work, but many do not realize the same sanctions rules apply to their insurance policy too. If you pay a ransom to a sanctioned group, the carrier denies the claim and you may face separate OFAC penalties.
Modern cyber policies include MFA, patching, EDR, and backup requirements as conditions of coverage. If the bank does not meet these controls when a ransomware event occurs, the entire claim can be denied, regardless of whether the missing control caused the breach. MFA was not enforced on a remote access connection? Claim denied. Not because MFA would have stopped the attack. Because MFA was a contractual condition and it was not in place.
Regulatory coverage may be narrower than you think
Most cyber policies include regulatory proceedings coverage. But there are limits.
Fines and penalties are often excluded, or covered only where “insurable by law.” That language varies by state. For banks, the 36-hour incident notification rule means regulators will know about significant incidents quickly. The examination that follows can be extensive, and legal costs for responding to regulatory inquiries can run into six figures.
The gap: your policy covers “regulatory proceedings” but defines it narrowly. An FDIC investigation may not fit the policy’s definition if it is framed as an examination rather than a formal enforcement action.
Security Warranties: Where Cybersecurity Controls and Insurance Collide
Carriers increasingly require specific security controls as conditions of coverage. These are not recommendations. They are contractual requirements:
- Multi-factor authentication (MFA) on all remote access points
- Endpoint detection and response (EDR)
- Regular patching within defined timelines
- Tested and verified backups
- Email filtering and anti-phishing tools
- Security awareness training for employees
The security controls your IT team or security assessor evaluates are the same controls your insurance carrier requires. If those controls are not in place, it is both a security risk and an insurance risk. A security gap does not just make you more vulnerable to an attack. It can void your coverage when the attack happens.
If your bank works with an IT auditor or security firm, ask them to review your carrier’s security warranty requirements alongside their assessment. For more on how examiner expectations, IT audit findings, and carrier requirements overlap (and where they do not), see What Your Examiner Expects From Your Cyber Insurance.
5 Things to Check Before Your Next Board Meeting
These checks take about 30 minutes. If you get through all five, you will know more about your cyber coverage than most community banks ever will.
-
Find your sublimits. Look at the declarations page and any endorsements for ransomware/extortion and social engineering/wire fraud sublimits. Compare them to your aggregate limit. If either is less than 25% of your aggregate, flag it.
-
Read your security warranties. Go to the Conditions or Warranties section. List every security control required as a condition of coverage. Then check whether your bank meets every single one. One gap can void everything.
-
Check your vendor coverage. Find the Business Interruption section and look for “dependent business interruption” or “contingent system failure” language. If your policy only covers outages at your own bank, you have a gap.
-
Look at your policies together. Pull the cyber policy, the fidelity bond, and the D&O policy. Check whether any of them have exclusions that push claims to one of the other policies. Where you see “arising from a cyber event” exclusions, that is a potential gap.
-
Ask about deepfake coverage. Check whether your social engineering coverage defines “social engineering” broadly enough to include AI-generated voice and video, or whether the language is limited to written communications.
If any of these raises a question you cannot answer, bring it to your next broker conversation. Or if you would rather have someone who reads these for a living walk through it with you, get in touch. Learn more about how I work with community banks.