Over the past months, I audited the insurance policies at five community banks and credit unions. I read the actual policy forms, the endorsements and amendments across their cyber, fidelity bond, and D&O policies.
The five financial institutions had little in common. Asset sizes ranged from under $500 million to over $1 billion. They reported to different regulators. The group included a mix of community banks and credit unions. They used different insurance program structures, and different carriers. Premiums varied significantly across the group.
However, the gaps were similar.
Very similar structural problems appeared in every program, regardless of bank size or carrier. That pattern changes the conversation. One bank with a gap is a broker discussion. Five banks with five different programs yet similar gaps, that is an industry problem.
Gap 1: Every D&O Policy Had a Cyber Exclusion
Every D&O policy excluded claims arising from a cyber event, with varying severity. One carrier excluded anything “arising out of or in any way involving” a data breach. That language blocks all D&O claims after a cyber incident, including regulatory investigations into whether the board met its oversight obligations. Another carrier narrowed the cyber exclusion and added an exception for certain privacy claims. That proves that tighter language is available. The default across all five programs, however, was broad cyber exclusion.
This exclusion matters even more as cyber threats are rapidly increasing and, at the same time, regulators are tightening board accountability. Over the past three years, the FFIEC, OCC, and FDIC have each raised expectations for board-level cybersecurity governance. The FFIEC examination handbook requires boards to provide “credible challenge” to management’s cybersecurity assertions. The NCUA made board cybersecurity training a named supervisory priority for the first time in 2026. Publicly traded banks now face SEC cybersecurity disclosure requirements.
The regulatory direction is clear: boards are expected to understand and oversee cyber risk. The D&O exclusions are moving in the opposite direction.
After a breach, examiners will investigate whether directors met their duty of care. That investigation is a D&O matter. If the D&O policy excludes any cyber-related claims, the directors face it without coverage. And the cyber policy doesn’t fill this gap. Cyber policies cover mainly breach response costs: forensics, notification, credit monitoring. They don’t cover claims against individual board members for oversight failures.
Gap 2: Wire Fraud Coverage Was Inadequate
Social engineering limits across all programs ranged from $100,000 to $500,000. Every bank in this group moves multiples of that amount in wire transfers daily.
The deeper problem is where this coverage sits. Cyber carriers generally don’t offer wire fraud coverage for financial institutions. They push it to the fidelity bond. The fidelity bond does cover wire fraud. However, it often comes with conditions that reduce the payout: a co-payment (where the bank absorbs a percentage of every loss), a sublimit that’s a fraction of the bond’s headline coverage, or a verification step the bank must prove it followed before the transfer. Wire fraud at financial institutions is a constant. The FBI estimates nearly $3 billion in losses annually. The coverage doesn’t match this exposure.
At one bank, the bond imposed a 50% co-payment on all funds transfer claims. On a $2 million wire fraud claim, the bank would pay more than $1 million out of pocket.
Gap 3: Recovery Depends on How Forensics Classifies the Attack
Every fidelity bond had multiple fraud coverages with different limits and definitions. “Computer Systems Fraud” might carry a $5 million limit. “Social Engineering” might carry only $250,000. These definitions don’t overlap. That separation is intentional.
The result is what I call the “Classification Swing.” For the same wire fraud, same dollar loss, same attacker, the bank could recover either the full $5 million or just $250,000, depending entirely on whether forensics determines the bank’s system was compromised or an employee was deceived. Across the banks, these swings ranged from $4.25 million to $4.75 million.
This is how fidelity bonds are designed. Multiple fraud coverages with non-overlapping definitions and different limits. But nobody maps the Classification Swing for the bank before a claim happens. The bank only sees its headline limit and assumes that is what it will recover.
Headline limits are not recovery limits.
Gap 4: Vendor Coverage Did Not Match Vendor Dependence
Every bank in this group depends on a core banking platform vendor. When that platform goes down, the bank can’t process transactions, access accounts, or serve customers. An August 2025 data breach that affected more than 700 financial institutions through a single vendor made this the examiner’s number one concern.
Coverage for vendor outages ranged from $100,000 to zero. One bank hadn’t purchased the coverage at all, even though it was available in the policy form; it had never come up in the renewal process. A five-day outage at that bank’s core vendor would cost an estimated $500,000, with no insurance recovery.
Examiners are now asking about vendor risk management. They want to see that the bank has assessed its critical vendor dependencies and has a plan if a vendor fails. The insurance that’s supposed to backstop that risk doesn’t come close.
For more on this gap, see The Vendor You Cannot Replace.
Gap 5: Nobody Covers the Response to Wire Fraud
Fidelity bonds reimburse stolen funds. Cyber policies pay for breach response: forensics, legal counsel, notification. Wire fraud isn’t a data breach. No records are compromised. No notification is required.
So, after a wire fraud loss, the bond may reimburse part of the stolen funds, but the cost of investigating what happened, engaging outside counsel, and reporting to the board and regulators falls on the bank. Neither the fidelity bond nor the cyber policy covers the response.
What the Pattern Means
If these were problems with one carrier’s forms, the fix would be to switch carriers. But these gaps appeared across all programs and all carriers, and across different bank profiles. Similar issues showed up at the small mutual savings bank and the billion-dollar publicly traded institution.
The gaps are structural. The way bank insurance programs are designed, with breach response on the cyber policy, fraud pushed to the fidelity bond, and D&O written without reference to either one, creates seams between the policies. Claims land in those seams, and nobody pays.
Numbers depend on the bank's size, program structure, and identified coverage gaps.
What the Banks Did With the Findings
Every bank received a prioritized action plan: which gaps to fix mid-term, which to address at renewal, and which to monitor, with estimated costs and specific negotiation language for the broker.
These audits started a conversation between the bank leaders, their brokers and carriers, and their boards that wasn’t happening before. The banks have reduced their uninsured exposure, and the process of closing the remaining gaps is underway.
None of these banks were aware of these coverage gaps before the risk audit. Brokers review each policy individually and manage the renewal. A Risk Intelligence Report reads the policies together, tests them against claim scenarios, and maps the seams between them. That is a different job.
What This Means for Your Bank
Your bank may use a different carrier, a different program, a different broker. Based on my audits across carriers and program types, the structural gaps will likely be similar. The seams between cyber, bond, and D&O are built into how these products are designed.
If nobody has read your policies side by side and asked which policy pays for realistic cyber scenarios, then you do not know where your coverage fails. You know what you bought. You do not know what you will collect.
