Six Ways Coverage Fails at Claim Time

These patterns show up in every community bank and credit union I review. Different carriers. Different policy forms. Same gaps. Each one creates a scenario where the institution assumes it is covered and discovers at claim time that it is not.

Community banks and credit unions carry three policies that touch cyber risk: a cyber policy, a fidelity bond, and a directors and officers (D&O) policy. These policies were never designed to work together. Each carrier points the finger at the other two. The bank holds the loss.

The six gaps below are the ones I find most often. They come from actual policy reviews.

Gap 1

The Wire That Never Comes Back

Spoofed instructions, real wire. The cyber policy never included social engineering coverage. The fidelity bond excludes "voluntary parting" because the employee had authority and willingly sent the funds. Both carriers point at each other.

On a $400K wire fraud, the bank can recover as little as $200K. Half the loss falls on the bank.

Read the full case →

Gap 2

The Board on the Hook

After a breach, regulators go after the directors personally. The D&O policy has a cyber exclusion nobody knew was there. The cyber policy does not cover board liability. Directors face personal exposure.

Some version of this gap exists in every institution I have reviewed.

Read the full case →

Gap 3

The Vendor You Cannot Replace

A core processor goes down for three days. The cyber policy covers vendor outages under dependent business interruption, but sublimits it to around $1M within the aggregate. A multi-day core platform outage easily exceeds that.

Vendor concentration is the risk every community bank knows is real. The coverage exists, but the sublimit does not match the exposure.

Read the full case →

Gap 4

The Ransom You Cannot Pay

Ransomware encrypts the bank's data. The carrier will not authorize payment because the threat actor is on an OFAC sanctions list. The bank chooses between an illegal payment and an indefinite outage.

Banks deal with OFAC in daily compliance. Most don't realize the same rules apply to their insurance.

Gap 5

The Application That Cancels the Policy

After a loss, the carrier reviews the application the bank submitted at renewal. MFA not enforced everywhere? Backups not tested? The policy can be voided as if it never existed.

A gap in your controls is a gap in your coverage. The carrier decides after the claim.

Read the full case →

Gap 6

The Fine Print Inside the Coverage

The policy responds, but sublimits, retentions, and carve-outs shrink the recovery. A $5 million policy can become a $500K payout. The limit on the declarations page is the ceiling. The floor is buried in language the bank never read.

The limit is real. So is the language that erodes it.

For a side-by-side map of how all three policies respond to each incident type, see Five Common Cyber Incidents, Three Policies, and the Gaps Between Them.

Find Out Where Your Coverage Fails

One report. Plain English. Before your next claim, board review, or examination.

Get in Touch