The Cheap-Good-Fast Triangle of Insurance

There is an old rule in consulting: cheap, good, or fast. You get two. You manage the tradeoff, or the tradeoff manages you.

Insurance distribution made its choice a long time ago. Cheap and fast won.

Brokers earn commissions when a policy is placed, and earn them again at renewal. Their incentive is to place and renew. Reading 60 pages of policy language against a bank’s operations, contracts, and regulatory exposure generates no revenue.

The InsurTech ecosystem spent the last decade accelerating the same two sides: faster quoting, instant bind, auto-renewal.

The side that fell away was “good.”

Most bank insurance programs have never had a line-by-line review of what the policy language says versus what the financial institution faces.

What that looks like when a loss hits

Having a policy is not the same as being protected. The gap between the two shows up especially across the three policies every community bank carries: cyber, D&O, and the fidelity bond.

Cyber: the limit that disappears.

A bank buys a $5 million cyber policy. The number looks sufficient on the declarations page. But defense costs sit inside that aggregate limit. A data breach triggers simultaneous investigations from the FDIC, state banking examiners, and the state attorney general. A class action from affected customers adds another front. Legal fees across four simultaneous proceedings consume the aggregate before any damages or settlements are paid. The bank bought a $5 million limit. That limit was consumed before indemnity applied.

Fidelity bond: the fraud coverage that isn't there.

Business email compromise, deepfake voice fraud, and vendor impersonation are the number one fraud threat to financial institutions. The FBI estimates over $3 billion in annual business email compromise losses. Most fidelity bonds carry a social engineering endorsement, but it often comes with sublimits, co-payment clauses, or verification requirements that reduce recovery well below the face amount. A bank with a $2 million bond may collect less than half that on a wire fraud loss, and the board may never have been told.

D&O: the exclusion nobody read.

Many banks’ D&O policies contain a blanket cyber event exclusion: claims “arising from” a data breach or failure of computer security. After a breach, examiners investigate the board’s cybersecurity oversight. That is a D&O matter. But the D&O policy does not respond because the claim “arises from” a cyber event. The cyber policy covers breach response costs, not claims against individual board members for oversight failures. After a breach, neither policy covers the investigation of the board.

What “good” looks like

“Good” means someone reads the policy language and cross-references it against the bank’s operations, contracts, regulatory exposure, and the loss scenarios it is most likely to face. It means mapping how multiple policies interact when a single event triggers claims across cyber, the fidelity bond, and D&O simultaneously, because carriers will point at each other before they pay.

I have spent 20 years in insurance, including carrier-side roles at two of the largest insurers in the world. From that vantage point, you learn where the language is tight and where it is ambiguous, and which exclusions carriers will enforce at claim time. That’s what “good” means: someone who reads the contract the way the carrier’s claims team will read it when a loss is filed.

Two out of three

Two out of three works fine until a loss hits. Then the side you chose not to manage is the only one that matters.

If nobody has read your policies side by side and tested which one pays for realistic scenarios, you know what you bought, but you don’t know what you’ll collect.

For the complete analysis with additional examples, read the full article on Substack. If you want to know what your bank’s insurance program covers, get in touch.

Joerg Proeve, Founder and Independent Risk Advisor
Joerg Proeve

Founder and Independent Risk Advisor at Breezy Risk. His insurance career spans carriers, startups, MGAs, and advisory, with a background in engineering and cybersecurity. He audits insurance programs for financial institutions.

More about Joerg →