Coverage Gap Framework

Six Ways Coverage Fails at Claim Time

These patterns show up in every community bank I review. Different carriers. Different policy forms. Same gaps. Each one creates a scenario where the bank assumes it is covered and discovers at claim time that it is not.

Community banks carry three policies that touch cyber risk: a cyber policy, a fidelity bond, and a directors and officers (D&O) policy. These policies were never designed to work together. Each carrier points the finger at the other two. The bank holds the loss.

The six gaps below are the ones I find most often. They come from actual policy reviews.

Gap 1

The Wire That Never Comes Back

Spoofed instructions, real wire. The cyber policy excludes "voluntary parting." The fidelity bond requires a system intrusion that never happened. Both carriers point at each other.

On a $400K wire fraud, the bank can recover as little as $200K. Half the loss falls on the bank.

Read the full case →

Gap 2

The Board on the Hook

After a breach, regulators go after the directors personally. The D&O policy has a cyber exclusion nobody knew was there. The cyber policy does not cover board liability. Directors face personal exposure.

Some version of this gap exists in every institution I have reviewed.

Read the full case →

Gap 3

The Vendor You Cannot Replace

A core processor goes down for three days. The cyber policy's business interruption coverage requires the bank's own systems to be compromised. The vendor's systems don't count.

Vendor concentration is the risk every community bank knows is real. Most policies don't cover it.

Gap 4

The Ransom You Cannot Pay

Ransomware encrypts the bank's data. The carrier will not authorize payment because the threat actor is on an OFAC sanctions list. The bank chooses between an illegal payment and an indefinite outage.

Banks deal with OFAC in daily compliance. Most don't realize the same rules apply to their insurance.

Gap 5

The Application That Cancels the Policy

After a loss, the carrier reviews the application the bank submitted at renewal. MFA not enforced everywhere? Backups not tested? The policy can be voided as if it never existed.

A gap in your controls is a gap in your coverage. The carrier decides after the claim.

Read the full case →

Gap 6

The Fine Print Inside the Coverage

The policy responds, but sublimits, retentions, and carve-outs shrink the recovery. A $5 million policy can become a $500K payout. The limit on the declarations page is the ceiling. The floor is buried in language the bank never read.

The limit is real. So is the language that erodes it.

For a side-by-side map of how all three policies respond to each incident type, see Five Common Cyber Incidents, Three Policies, and the Gaps Between Them.

Find Out Where Your Coverage Fails

One report. Plain English. Before your next claim, board review, or examination.

Get in Touch