The Fine Print Inside the Coverage

A community bank carries a $5 million cyber liability policy. The board sees $5 million on the declarations page and feels protected.

Then, a data breach exposes 45,000 customer records. Here is what happens next, and what the $5 million actually pays.

The Math

Five separate costs hit at once: breach response, two regulatory investigations, a class action, and a settlement. They all draw from the same $5 million pool.

Breach response. Notify 45,000 individuals, engage forensics, retain breach counsel, set up credit monitoring, manage a call center. Some carriers provide these services outside the aggregate. Many treat them as “Claim Expenses” inside the limit.

Regulatory investigation, federal. The OCC opens an examination. The bank must produce documents, respond to examiner inquiries, and retain specialized regulatory counsel. A federal banking examination after a cyber event is not a quick conversation.

Regulatory investigation, state. The state banking department opens a parallel investigation. The state attorney general’s consumer protection division sends a civil investigative demand. Not every breach triggers both state agencies, but a 45,000-record exposure with PII usually does. Each requires separate counsel, separate document production, separate responses. These run concurrently with the federal investigation, not sequentially.

Class action defense. A plaintiff’s firm files on behalf of affected customers. Motion practice, discovery, mediation. Even cases that settle early generate significant defense fees. And if the bank wants to fight but the carrier wants to settle, the policy’s “hammer clause” can cap the carrier’s exposure at the settlement offer. The bank funds the rest.

Settlement or judgment. The class action settles for $1.5 million, a modest result for 45,000 affected records. Covered, but only if every prior cost came in at the low end.

Where the $5 Million Went

Breach response

$1,200,000

Federal regulatory defense

$500,000

State regulatory defense

$400,000

Class action defense

$750,000

Settlement

$1,500,000

Total

$4,350,000

Illustrative estimates. Actual costs vary by breach severity and jurisdiction. But the pattern holds: when costs escalate, the aggregate runs out.

Aggregate Erosion

$5.0M policy limit$5,000,000

After breach response$3,800,000

After regulatory defense$2,900,000

After class action defense$2,150,000

After settlement$650,000

Before sublimits and retentions. The actual recovery is lower.

That is the optimistic version. Now add the sublimits.

The Sublimit Problem

The $5 million on the declarations page is not $5 million of usable coverage. Inside that aggregate, individual coverages have their own caps.

Ransomware sublimit: $1 million. If the breach also involves an extortion demand, the bank can recover up to $1 million for the ransom payment and associated costs, not the full $5 million. The rest of the aggregate covers the rest of the incident, but the extortion component has its own ceiling.

Social engineering sublimit: $250,000. If the breach originated from a phishing attack that also enabled a wire transfer, the social engineering coverage is capped at a fraction of the aggregate.

Dependent business interruption: $1 million. If the breach originated at a vendor, the bank’s business interruption recovery is limited to the sublimit, not the full BI coverage.

Regulatory defense sublimit: $500,000. Some policies cap regulatory proceedings costs. The bank absorbs everything above that threshold out of pocket, even though the aggregate has not been exhausted.

These sublimits do not stack neatly. A single incident can trigger multiple sublimits simultaneously. Each cap reduces what the bank collects. The aggregate is the theoretical maximum. The sublimits define the actual maximum.

The Retention Layer

Before any coverage responds, the bank pays the retention. A $25,000 retention sounds manageable. But retentions can apply per claim, per insuring agreement, or per coverage part. A multi-front incident that generates separate claims under different insuring agreements may trigger multiple retentions against the same event. A phishing attack that causes both a data breach and a wire transfer loss could trigger retentions under both the cyber and crime insuring agreements simultaneously.

Some policies apply the retention to defense costs. If the retention is $50,000 and regulatory defense counsel bills $75,000 before indemnity begins, the bank has already absorbed $50,000 before the policy pays anything.

Why Banks Face This More Than Most Businesses
A retail company that suffers a data breach deals with one regulator (the state AG) and one class of plaintiffs. A bank deals with its primary federal regulator (FDIC, OCC, or NCUA), the state banking department, the state attorney general, and potentially the CFPB.
Each investigation generates separate legal costs, separate document production, and separate defense counsel. The regulatory density is the multiplier that turns a manageable incident into an aggregate-exhausting event.

The Real Number

When regulators, plaintiff’s attorneys, and breach response teams are all drawing from the same policy at the same time, many community banks will discover that available recovery is materially lower than the stated aggregate limit. How much lower depends on the specific policy’s sublimits, retention structure, and whether defense costs erode the aggregate. But the pattern is consistent: the declarations page overstates what the bank can collect.

I see this in every bank insurance program I review. The limit is real. So is the language that erodes it.

The Fix

Check whether defense costs are inside or outside the aggregate. First or second page of the policy, usually in a "Notice to Policyholders" box. If defense costs erode the aggregate, every dollar spent on lawyers reduces the money available for settlements and breach response. Policies with defense outside the limit cost 15 to 25 percent more, but when defense alone can consume 40 percent of the aggregate, the math usually justifies it.

List every sublimit in the policy. Ransomware, social engineering, dependent BI, regulatory proceedings, PCI fines, crisis management. Add them up against a realistic scenario. If they collectively cap recovery well below the aggregate, the limit on the declarations page is aspirational.

Check whether breach response costs are inside or outside the aggregate. Some carriers provide breach response services outside the policy limit. If yours does not, breach response alone can consume 20 to 25% of the aggregate before any third-party claim is paid.

Model an incident and walk the numbers. Breach response, two regulatory investigations, class action defense, settlement. Apply the sublimits, retentions, and defense cost erosion. Present the result to the board alongside the declarations page limit. The conversation that follows is where the real decisions happen: increase the aggregate, negotiate higher sublimits, buy an excess layer, or accept the retained risk with eyes open.

The limit on your declarations page is what the carrier promises at maximum. The sublimits, retentions, and carve-outs determine what the bank actually collects. The gap between those two numbers is the gap most boards have never seen.

Sublimit erosion is one of the structural issues that appears across all three bank policies. I map the full picture in Five Common Cyber Incidents, Three Policies, and the Gaps Between Them.

This is the kind of analysis a Risk Intelligence Report provides: the gap between the declarations page and the actual recovery, mapped against your specific policy language.