Your Credit Union Bought a Bundle. Claims Get Paid Policy by Policy.

A member’s credentials are stolen. A fraudster uses them to transfer $200,000 out of the credit union. The NCUA opens an investigation. The member files a complaint. The board asks who is liable.

That single incident touches the credit union’s fidelity bond (stolen funds), the cyber liability policy (breach response, regulatory defense), and the D&O (board oversight claims). Three separate policies, three different sets of conditions, three different sets of exclusions.

At most credit unions, all three come through a single program, often TruStage. One relationship, one renewal, one broker. Each policy responds to claims independently, with its own terms, its own sublimits, and its own exclusions. The gaps sit in the seams between those policies, and most credit unions have never had anyone read all three together.

It looks and feels like one coverage. It is not.

How the Bundle Breaks Apart

I audited a credit union’s insurance. All three coverages came through the bundled program. It had been in place for years, renewed without objection. On paper, it looked solid.

When I read the policies together and tested them against real claim scenarios, the gaps became visible.

What the insurance audit found
Wire Fraud
50% co-payment
On a $200K loss, the credit union recovers less than $100K
D&O
Entity exclusion
Credit union itself uninsured for cyber-related regulatory and member claims
Vendor Outage
$1M sublimit
Multi-day core processor outage exceeds coverage

Wire Fraud: The Bond Pays, but Not All of It

Wire fraud is a high-dollar loss exposure for credit unions. A $200,000 wire redirected by a spoofed email. A $400,000 transfer initiated after a business email compromise. These are not hypothetical numbers.

At most credit unions, wire fraud coverage sits primarily on the fidelity bond. At this credit union, the bond covered funds transfer fraud with a $5 million limit. However, it carried a 50% co-payment on all funds transfer claims.

On a $200,000 wire fraud, the credit union would recover less than $100,000. For a credit union, an unrecovered $100,000 is a board-level event, not a rounding error.

The bond also limited which communication channels qualify for coverage: online, phone, and fax. An AI deepfake video call, where a fraudster impersonates a vendor executive, doesn’t clearly fit any of those definitions.

Wire fraud recovery depends entirely on the fidelity bond's terms, not the cyber policy. If the bond has co-payments, sublimits, or narrow channel definitions, that is the credit union's uninsured exposure.

D&O: The Entity Gap

The D&O policy protected individual directors and officers against personal liability. But it excluded entity-level claims related to privacy and security events.

If the NCUA brings an enforcement action against the institution, or if members file a class action after a data breach, the D&O policy does not respond for the credit union itself. Entity-level regulatory defense falls entirely to the cyber policy, which has defense costs inside limits. Every dollar spent on lawyers reduces what is available for damages and settlements.

Vendor Outage: The Sublimit

The cyber policy capped dependent business interruption at $1 million. This is the coverage that responds when a core banking platform, card processor, or online banking vendor goes down.

NCUA cannot examine third-party service providers. Credit unions have no regulatory backstop that pressures vendors to maintain security standards. Insurance is the only financial protection, and $1 million does not cover a multi-day outage at a core processor.

Why This Hits Credit Unions Harder

These gaps exist across most financial institution insurance programs. They are structural, tied to how the industry separates cyber risk across multiple coverages. But three things make them worse for credit unions.

1
Program concentration. TruStage is the dominant insurance program for credit unions, bundling all three coverages under one relationship. This has real advantages: administrative simplicity, coordinated coverage, single point of contact. But when one program controls all three coverages, the gaps between them become invisible until a claim hits.
2
Volunteer boards. Most credit union boards are volunteers with less experience evaluating cybersecurity risk, which increases the chance of an oversight claim after a breach. NCUA has made board cybersecurity oversight a governance priority, not an insurance admin issue.
3
NCUA notification requirements. Credit unions have 72 hours to notify NCUA after a reportable cyber incident. The cyber policy's response timeline needs to match. And the fidelity bond mandate under 12 CFR Part 713 sets minimum coverage levels, but minimums don't solve deepfakes or social engineering.
One program, three coverages, rarely read together. That means unbudgeted losses, board exposure, and gaps that surface at claims, not at renewals.

What Happened After the Audit

The insurance audit identified specific fixes:

  • Negotiate the bond co-payment and channel definitions. A 50% co-payment on funds transfer claims is worth challenging at renewal, and the covered communication channels should include video conferencing.
  • Request removal or narrowing of the D&O entity exclusion. If the carrier won’t move on the language, a standalone D&O from a different carrier can fill the gap. Add investigative costs coverage for NCUA subpoenas.
  • Increase the dependent BI sublimit to match actual vendor dependence.

Closing these gaps would have cost a fraction of the exposure they leave open.

The broker pushed back on most of the recommendations. That is not unusual. TruStage is the program administrator and the endorsed provider for credit unions. The broker’s job is placement. An independent review tests whether the program works under claim conditions.

Most credit unions are not going to leave TruStage, and they shouldn’t. But they should have a documented record of their coverage gaps so they can push for better terms at renewal. That is a different conversation than walking in with nothing but the broker’s summary.

What This Means for Your Credit Union

Credit union insurance is sold as a bundle. Claims are paid by separate policies with separate exclusions. The risk hides in the seams between them.

Has your team ever tested a single cyber incident against all three policies at once? A wire fraud, a vendor outage, a data breach followed by an NCUA investigation?

If not, that is the gap worth closing first. Not by switching carriers or programs. By knowing what your current coverage actually pays and where it doesn’t.

Find out whether your program would actually pay on a wire fraud, vendor outage, or NCUA action. That is what a Risk Intelligence Report is for. Get in touch.
Joerg Proeve, Founder and Independent Risk Advisor
Joerg Proeve

Founder and Independent Risk Advisor at Breezy Risk. His insurance career spans carriers, startups, MGAs, and advisory, with a background in engineering and cybersecurity. He audits insurance programs for financial institutions.

More about Joerg →