|
Internet Banking: A Risk Management Primer for Directors is brought to you by the ABA-sponsored insurance program. As part of our Loss Control Series of White Papers, the intent of this document is to share best practices that can impact the financial institution's bottom line. We welcome your questions, comments and suggestions for future Loss Control topics. Please contact us at 800-274-5222 or visit our website at www.progressivebanks.com.
I. Introduction
As a director of a financial institution, one of the following most likely applies to you:
Your institution offers Internet banking.
Your institution is in the process of implementing an Internet banking program.
Your institution is considering venturing into Internet banking in the near future.
Community banks continue to move online at a rapid pace. Many directors of financial institutions do not have expertise in the technical aspects of Internet banking and may actually feel intimidated when looking at these issues. As a result, directors rely heavily on systems personnel and third-party vendors to ensure that the appropriate technology is in place to protect the assets and data integrity of the financial institution.
Simply because there is a technological component to Internet banking, however, does not mean that directors can abrogate their legal responsibilities to manage the process. While it is not necessary to develop an intimate understanding of the technical aspects of the Internet, the Board must become involved in the planning, deployment and ongoing monitoring of the financial institution's Internet banking program.
Internet banking risks extend beyond the technical realm of programming, hardware, software and security. These risks need to be evaluated and addressed at the highest level of management. As with any new product offering, you are responsible for safeguarding the integrity and assets of the institution by taking steps to mitigate risk. For example, as a director you must:
understand the risks inherent in the product offering;
establish and monitor policies and procedures to minimize risk;
perform proper vendor due diligence and oversight; and
ensure that the risks are adequately covered by insurance.
As a director, you are personally accountable to customers, shareholders and regulators. Failure to manage risk appropriately can not only damage the business, but can also lead to personal liability, through suits from shareholders, customers and third parties, as well as regulatory penalties and Internet fraud charges.
There have been many, and there are sure to be more, articles written about the various aspects of Internet banking, all of which approach the topic from a different perspective. The primary focus of this paper will be on:
the duties and responsibilities of directors with regard to deploying an Internet banking platform;
the risks inherent in this new technology;
risk management tools that can be used to minimize these risks; and
insurance solutions to further protect you and your financial institution.
II. Directors' Duties and Responsibilities
The directors of a financial institution may be responsible for loss or injury that results from a failure to fulfill their duties. The Business Judgment Rule protects the Board of Directors in certain instances, but only if the directors make informed decisions in good faith. It is critical to remember that it may not be enough to simply assert good faith in the decision-making process; it is imperative to use documentation to prove that the Board was well informed and intricately involved in the decision-making process. Once the decision has been made to proceed with an Internet banking program, it is important that directors understand their duties and responsibilities, such as:
Duty of Care: directors must discharge their duties in good faith, with the care a prudent person in a similar position would exercise under similar circumstances, and in a manner he or she reasonably believes to be in the best interests of the corporation. All Internet banking issues must be considered with this duty of care in mind.
Strategic Planning and Business Development: It is important that the Board of Directors have a vision for the institution in mind before rushing to implement an Internet banking program. Directors often feel compelled to offer Internet banking to be competitive, but fail to plan strategically to ensure its success. The risks, goals and objectives, and resources required to deploy the Internet banking program should be documented in a formal written Strategic Plan. In lieu of a separate Internet Banking Strategic Plan, an institution's existing Strategic Plan can be modified to incorporate the impact of Internet banking.
A written Strategic Plan serves two purposes: 1) it provides management with a framework for the bank's Internet banking program; and 2) it documents director involvement and oversight in developing the program.
Policy Formation: Directors must formulate policies and procedures to chart the course of the financial institution's Internet banking program. Before the program is implemented, all of the institution's policies and procedures should be evaluated to determine if they need to be modified or updated to incorporate Internet banking. New policies and procedures should be implemented, if necessary.
Supervision and Accountability: It is important that the Internet banking program is adequately managed to ensure the safe and solvent operation of the institution. The Board must provide adequate resources and require that management implement the plan within the designated time frame. Documentation of meetings, discussions and actions taken to correct deficiencies in the Internet banking program is crucial in maintaining control and establishing Board oversight.
These duties provide a framework for the Board's involvement in establishing the Internet banking program. The same duties exist with regard to traditional "brick and mortar" services; the difference is that the average financial institution director understands "brick and mortar" banking. As a financial institution director, you will need to reach that same level of familiarity with Internet banking. In an effort to assist you in this endeavor, the following section outlines some of the risks related to Internet banking.
III. Internet Banking Risks
The Internet is not simply another distribution channel for the financial institution's products, and offering banking services on the Internet is not as simple as adding a new branch. Further, the risks presented by Internet banking extend beyond the realm of firewalls and access controls. It cannot be overstated that the risks of offering Internet banking need to be actively evaluated and addressed by the Board; mere reliance upon technical "gurus" will not suffice.
Beyond the highly publicized concerns regarding hackers and viruses that can threaten the institution's performance, Internet banking heightens various types of traditional risks. A complete understanding of how these general business risks affect the financial institution - and, potentially, its directors - must be considered and addressed before senior management and the Board approve a plan to implement an Internet banking platform.
Regulators outline six general business risk categories (strategic, operational, reputation, transactional, compliance, and credit) that may be impacted by implementing an Internet banking program. These risk categories are discussed briefly below, with emphasis on directors' duties and responsibilities.
Expanding into Internet banking requires as much, if not more, strategic evaluation and planning by management as expanding existing banking services into a new geographic or economic area. Strategic risk may arise from a lack of appropriate planning and implementation of Internet technology or from a failure to adequately evaluate how Internet banking will impact the institution's overall business strategy.
Poor financial performance arising from a badly designed website or from over-commitment of the institution's resources to Internet banking at the expense of more traditional activities can result in impaired earnings and/or capital, ultimately giving rise to shareholder class action lawsuits or regulatory actions against your directors.
Universal access to the Internet eliminates traditional geographic boundaries, and provides a larger pool of potential customers compared to conventional forms of marketing. Internet customers have a greater tendency to shop for the best rates and terms and may exhibit little or no loyalty to a particular institution. This can increase deposit volatility arising from shifts in interest rates. Further, a financial institution may be exposed to price risk if it uses the Internet to create or expand its deposit brokering, loan sales or securitization programs. Consequently, the institution must be ready to respond quickly to changes in market conditions, must have appropriate asset/liability and loan portfolio management systems in place, and may need to increase monitoring of liquidity and fluctuations in the loan and deposit ratio.
Since Internet banking broadens the institution's pool of potential customers, it also increases the risk of being sued in an unfriendly or inconvenient venue. The effect of such broadened exposure on the financial institution's resources and the ability of the institution to respond to suits in distant jurisdictions must be fully evaluated. Consideration should be given to limiting the financial institution's exposure through geographic restrictions of customers.
Negative publicity about a financial institution's Internet banking services can affect relationships with existing and potential customers, lead to expensive litigation, and impair earnings and capital. Damage to the institution's reputation can occur if its Internet banking program is not user-friendly or is unreasonably slow. Reports of unauthorized access to information via the financial institution's website can create concerns about the confidentiality of customers' financial information. Loss of communications or other system failures can also impact the bank's reputation.
Hyperlinks to third-party websites may be viewed by financial institution customers as an endorsement of the products, services or information on the third-party's website. To mitigate potential problems arising from acts of the third-party (i.e., if the third-party site contains inaccurate or offensive information), the website should make it clear to users when they are leaving the website and transferring to the site of another entity with proper disclaimers of liability. The institution should also have procedures in place to evaluate the websites of third-parties before and after any link is established.
Transactional risk is the risk to earnings and capital resulting from fraud, error, or inability to deliver the product or service. In an Internet banking environment, the institution is exposed to significant transactional risk due to potential deficiencies in system reliability and integrity, internal (employee) and external (hacker) security breaches, poor design, implementation and maintenance, and customer misuse, both intentional and unintentional.
Additional transactional risk results from the need to outsource many Internet-related activities to third-party service providers, whose practices are beyond the immediate control of the institution. The inability of a vendor to provide reliable, secure service for any reason or the vendor's failure to maintain confidentiality of customer data can result in claims against the institution.
Compliance risk arises from potential violations of the many statutes, rules and regulations to which the financial services industry is subject. Violations of these rules expose the institution, and possibly its directors, to fines, civil money penalties, civil damages and regulatory orders. Violations can also lead to reputation damage, loss of business opportunities, reduced earnings and lack of contract enforceability.
In general, all of the statutes, rules and regulations that apply to "brick and mortar" banking also apply to banking services provided on the Internet. This includes consumer protection laws and regulations, which require particular disclosures in connection with certain consumer transactions; regulations concerning display of the FDIC insurance notice; currency transfer laws; and the Bank Secrecy Act.
However, it is not always clear how laws and regulations designed for a "brick and mortar" institution should be implemented in the changing technological environment of an Internet website. Thus, the risk associated with compliance with the myriad statutes, rules and regulations to which all financial institutions are subject is heightened when the institution provides services or information on the Internet. If Internet banking services are provided to customers in foreign countries, regulatory compliance is further complicated since these countries may seek to apply their laws and regulations to a foreign bank conducting transactions with a customer located in that country.
Credit risk is the risk of financial loss to the institution resulting when a borrower or other obligor fails to meet contractual obligations. The inherent lack of personal contact, potential geographic distance and difficulties of verifying collateral and perfecting security agreements magnify credit risk in the Internet banking scenario. Concentration in out-of-area credits or credits within a single industry provide additional risk. Analysis of credit risk is further complicated by the unsettled question of which state or country's law controls an Internet relationship.
The Board must ensure that its directors understand the risks associated with Internet lending transactions and that their lending policies, procedures and practices adequately address the unique risks associated with such transactions.
IV. Risk Management Tools
Once management has assessed the risks of elevating an Internet banking platform and decided to proceed with offering Internet banking services, the following risk management tools are necessary to ensure that the safety and soundness of the institution are preserved.
Management Oversight
Strategic Plan
Vendor Due Diligence
Audit and Internal Controls
Compliance Review
Insurance
Consistent with its other duties to the institution, the Board of Directors bears the ultimate responsibility for the deployment of electronic systems and should approve the overall business and technology strategies. The heightened risks inherent in Internet banking - stemming from global access to confidential and proprietary information, rapidly advancing technology, significant allocation of resources and reliance on vendor competence - compel active Board oversight.
This process involves undergoing a comprehensive risk analysis and feasibility study, formalizing a Strategic Plan, and developing appropriate written policies and procedures. The Strategic Plan should be reviewed at least annually and updated as needed to address technological advances and material changes or major deviations. As always, documentation of all critical aspects of the process should be detailed in the Board minutes. Documentation of this process is a critical component in formulating a defense using the Business Judgment Rule.
Management should have the authority and resources to implement the Internet banking plan; however, failure of the Board to oversee its direction and continuously monitor the implementation against the Strategic Plan can result in not only risk to the integrity of the institution, but also personal liability for directors and officers. In the face of any potential exposures, management involvement and Board oversight are evidenced through:
board minutes documenting director discussions regarding the planning process;
a written Strategic Plan formalizing the Internet banking plan;
documentation of the risk analysis and steps taken to mitigate risks; and
implementation of adequate policies and procedures.
In a recent survey of community banks involved in Internet banking, 52% did not have a Strategic Plan. Such a plan is critical to ensure that the Board of Directors perform adequate due diligence. As with any significant new business venture, the Strategic Plan should answer the following questions:
Business Rationale/Vision
What is our objective in entering the Internet arena?
How does Internet banking further our corporate vision?
How does this new product dovetail with existing product lines?
How does this venture impact our existing and potential customer base?
Risk Analysis
What are the risks inherent in Internet banking?
Is our institution particularly vulnerable to any of these risks given its own unique risk profile?
What steps must be taken to mitigate these risks?
Cost Analysis
What are the startup and ongoing expenses?
Have we contemplated maintenance and system upgrades, and incremental staffing (potentially a technology officer, including IT support staff and additional audit support)?
What are the costs of employee training, advertising, customer education, and legal expenses?
Operating Policy and Procedures
How does this new product impact existing policies and procedures?
Do any of the existing policies and procedures need to be modified?
What new policies and procedures need to be documented and implemented?
Planning and Deployment
What areas of the organization will be affected and which areas should be involved in the planning and deployment?
What are the time frames and deliverables?
Who is responsible and for what?
Are there systems in place to hold individuals accountable?
Audit and Monitoring Techniques
Have the vendor's internal controls and audit plan been determined to be adequate?
Are existing internal audit resources sufficient?
Have the internal and external audit procedures been modified to address Internet banking and Internet usage?
Vendors and Outsourcing
Has the appropriate due diligence for selecting an Internet banking vendor been completed and documented?
Are we comfortable that service and security standards will be met?
Are the appropriate procedures in place to monitor deliverables and service standards on an ongoing basis?
Have the vendor's internal controls and audit plan been determined to be adequate?
Legal and Regulatory
Has internal and/or external counsel reviewed all vendor contracts?
Has the institution's compliance officer been involved in the planning and deployment of the website to ensure regulatory compliance?
Privacy Policy
Has the institution's privacy policy been communicated to the vendor?
Are the appropriate reviews in place to ensure that the privacy policy is upheld?
Is the online privacy policy consistent with regulatory requirements?
Disaster Recovery and Contingency Plans
Do we have adequate internal disaster recovery and contingency plans?
Are the vendor's disaster recovery and contingency plans consistent with those already established for the institution?
Just like any other Strategic Plan, the Internet banking Strategic Plan should be reviewed regularly and modified as necessary, both pre- and post-implementation, and issues and their resolutions presented to senior management and the Board. A Strategic Plan must be dynamic and reflect the experience and forward vision of the institution, or it will not be effective as a tool for managing the risks inherent in the undertaking.
Financial institutions venturing into the Internet arena rely heavily on external vendors to provide technological expertise beyond the grasp of the financial institution's management. Reliance on a third-party to perform critical functions, particularly in the Internet arena, demands that management scrutinize the vendor very closely to ensure that it meets the institution's needs and minimizes potential exposures. Due diligence must take into consideration the following four areas:
Expertise, Reputation and Service Expectations: The vendor must possess the technical expertise to provide and service the Internet banking program. While management will not likely assess the technical expertise to evaluate the vendor's abilities, due diligence should include researching regulatory and independent third-party reviews, as well as peer references.
Regulators conduct intensive reviews of all major vendors that provide Internet banking products. They require that all Internet banking vendors undergo an external audit and security assessment, the results of which are available to management. There may also be other vendor information available to assist you in your efforts. For example, the Banking Industry Technology Secretariat (BITS), in an effort to further the growth and safety of Internet banking, has developed criteria by which a vendor can obtain a BITS "tested mark", ensuring that the vendor and its products have met established security criteria.
As with all outsourcing arrangements, it is prudent to consult with the vendors' customers to gauge post-implementation satisfaction. You should also contact state and national industry associations to collect any available information about potential vendors. Be sure to document your efforts and ultimate decisions regarding your choice of an Internet banking vendor.
Security, Monitoring Reports and Systems Testing: Security precautions, including fire walls, encryption and intrusion detection, as well as contingency disaster recovery plans for the Internet banking vendor, must be adequate to safeguard both the assets of the institution and the integrity of its data. Further, audit reports and systems monitoring reports should not only be available, but should be reviewed by both vendor management and the financial institution. In order to assist you in managing transaction risk, reports should be available to monitor:
transaction activity to look for anomalies in transaction types, volumes, values and time-of-day presentment;
log-on violations or attempts to identify patterns of suspect activity; and
restricted transactions, correcting and reversing entries or unsuccessful attempts to access restricted information.
The institution should also determine the extent and frequency of systems testing at the vendor level. Stress testing to ensure systems capacity and vulnerability or penetration testing should be performed on a regular basis to safeguard the financial institution's assets.
In addition, the vendor should be required to undergo periodic security audits by a qualified third-party, and the results of those tests be made available to management in a timely fashion.
Indemnification, Liability and Insurance: Many vendor contracts disclaim vendor liability for negligence, errors and omissions. It is therefore imperative that, in addition to standard contract provisions, the institution have counsel review the contract language with regard to limitations of liability and indemnification. All vendor contracts should hold the financial institution harmless for losses resulting from vendor negligence, misconduct, and breach of security. If the vendor contract does not contain these provisions, the institution may be assuming liability under contract for which it would not otherwise be held legally liable.
In addition to the financial condition of the vendor, management should explore the extent of insurance that the vendor maintains to protect itself and its customers against losses arising from negligence, misconduct, breach of security and liability exposures.
Financial Condition: In a recent discussion about Internet banking vendors, one community banker expressed that "I rely on them tremendously and their contract holds them liable for any problems that arise; however, looking at their financial condition, I'm not sure I'd make a loan to them!" While a vendor may assume full liability by contract, financial instability may negate any indemnification in the case of a severe loss. After the Internet banking program is implemented, management should continue to monitor the financial condition of the vendor on an ongoing basis. Establishing a process to monitor the institution's vendors will help to avoid an interruption of service caused by an unanticipated decline in or cessation of vendor operations.
Many directors make the mistake of assuming that they can rely on the vendor to provide the appropriate audit and internal controls for the Internet banking platform. However, it is imperative that the appropriate audit and internal control procedures also be implemented internally, as well.
If audit trails are insufficient, electronic fraud might go undetected for a significant period of time. Regular audits of internal control systems help ensure that internal controls are appropriate and functioning properly. The internal audit policy should be modified to encompass all online activities, and internal controls should be commensurate with the level of Internet risk. An objective independent review of the institution's online banking product, through the development phase and ongoing operation, is also critical to detect any weaknesses in security or operations. Therefore, management should ensure that both the internal and external audit functions are adequately comprehensive and encompass all electronic banking activities.
To ensure that the institution minimizes compliance risk when introducing any type of Internet service, the compliance officer should be involved throughout the development and implementation stages to ensure that all relevant compliance issues are addressed. It is critical that institutions providing electronic delivery services maintain an in-depth knowledge of the continuously evolving statutes and regulations as they are modified to address Internet banking.
Ensuring that the Internet banking vendor has an understanding of compliance issues is also important in laying the groundwork for compliance. Continuous monitoring of developments in banking regulations is a process that all financial institutions must have in place. How these banking rules and regulations impact Internet banking and the website should be incorporated into the regular compliance review function.
The following is a list of banking rules and regulations that could be implicated with regard to Internet banking:
Deposit Services
Regulation E - Electronic Funds Transfer Act
Regulation CC - Expedited Funds Availability Act
Regulation D - Reserve Requirements of Depository Institutions
Regulation DD - Truth in Savings Act
Loan/Leasing Services
Regulation M - Consumer Leasing Act
Regulation B - Equal Credit Opportunity Act
Fair Credit Reporting Act
Fair Housing Act
Regulation C - Home Mortgage Disclosure Act
Regulation Z - Truth in Lending Act
Fair Debt Collection Practices Act
Miscellaneous
Flood Disaster Protection Act
Community Reinvestment Act
Bank Secrecy Act (including funds transfer rules)
The following are examples of how some of these regulations may apply:
Disclosures: While some regulations allow for electronically-delivered disclosures, others have not yet been updated to address electronic delivery, and the requirements for paper disclosures sometimes still apply to electronic transactions. In these cases, the institution must continue to provide the customer with paper disclosures. Electronic disclosures must be "clear and conspicuous". Failure to provide proper disclosure may result in regulatory penalties.
Advertising: The FDIC considers every insured depository's "home page" to be an advertisement. Therefore the home page of every institution should display the logo and official "FDIC Insured" advertising statement, as should any other pages that contain an "FDIC Insured" advertisement. Website advertising, whether on the institution's own website or via a link to a third-party site, requires close scrutiny to ensure compliance with all regulatory requirements.
Lobby Notices: Internet or other systems where a credit application can be made online may be considered a "place of business" for purposes of HUD rules prescribing lobby notices. Thus, lobby notices should be included on the website where applicable.
Privacy Issues: Privacy of consumer information continues to be an increasing concern among legislators and regulators. In addition to consumer privacy protections mandated in such statutes as the Fair Credit Reporting Act and the Electronic Fund Transfer Act, recent statutory and regulatory enactments impose additional obligations upon financial institutions. The privacy provisions of the Gramm-Leach-Bliley Act impose significant obligations regarding use or sharing of non-public consumer information and the disclosures that must be provided to consumers in connection with use of the information.
The institution should include assessment of the information collected from Internet transactions and uses of that information in determining its disclosure obligations. For example, if any part of the institution's websites or online services are directed to or collect information about children, regulations relating to the Children's Online Privacy Protection Act must also be considered.
Even with the best review and controls in place, losses may occur. As a safety net, the institution's insurance program should be reviewed very closely to ensure that losses stemming from Internet banking are covered to the fullest extent possible. At the very least, the Board should consult with an insurance professional to determine the scope of existing coverage. It may be appropriate to increase the limits on your existing insurance policies or purchase an "e-insurance" policy to cover your Internet banking exposure.
Before you review your insurance portfolio with your insurance professional, be sure that you understand the types of products and services offered over the Internet, functionality of the website, customer base, reliance upon third-party service providers, contractual arrangements, and use of web technology.
When you review your insurance portfolio, you will find that the insurance industry has not kept pace with technological change; therefore, existing policies may not cover, or only partially cover, losses resulting from Internet banking.
V. Insurance Implications and Potential Gaps in Coverage
A brief description of the potential gaps in coverage that may exist within your institution's existing insurance portfolio is outlined below.
The D&O policy protects the personal liability of directors and officers against suits brought against them for actions while acting in the capacity as a director or officer of the financial institution. Although there is typically no exclusion to limit coverage, the absence of specific references to Internet banking in existing policies may be used as a defense by some carriers in the face of large Internet banking losses.
As the D&O policy was developed long before the advent of Internet banking, online activity presents new risks that may actually be excluded under the traditional policy. For example, this new medium introduces a whole new universe of liability exposures related to invasion of privacy, advertising, and libel and slander - many of which are currently excluded under most D&O policies.
Your D&O carrier should be consulted with regard to coverage related to Internet banking. Further, due to the potential for loss, higher limits of liability should be considered to adequately protect the personal assets of the directors and officers.
The D&O policy applies only to liability incurred by the directors and officers, but does not cover the institution itself if it is named in a lawsuit. In the impersonal world of Internet banking, it is probable that lawsuits will name the financial institution only, or the institution in conjunction with its directors and/or officers. Such lawsuits may be brought by shareholders, regulatory agencies, customers or other third parties.
Some insurance policies provide entity coverage for "professional services" or delineate specific activities or covered parties. Such policies need to be scrutinized very closely to ensure that the institution is adequately protected for its Internet banking services. Given that technology is changing rapidly and that all of the risks are not yet known, a broad-form policy or endorsement is preferable to a named-peril or "professional services" approach to providing entity coverage.
Claims such as slander, libel, and defamation are typically excluded under the D&O Policy and covered under the Commercial General Liability (CGL) Policy. It is not clear if such liability resulting from Internet banking activity is covered due to the following reasons:
Most CGL policies include a "Banking Practices" or "Professional Services" exclusion that may exclude losses from Internet banking.
Advertising liability coverage only applies to offenses committed in the course of advertising the financial institution's own goods, products or services. Financial institutions may use their websites for linking or banner advertising capabilities to generate additional fee income. The advertising injury component of the CGL Policy specifically excludes advertising for others.
Although the Internet has no geographic boundaries, coverage provided under the CGL Policy is territory-specific, and is often limited to the United States, Canada and Puerto Rico.
Intellectual property claims such as copyright and trademark infringement are not covered under the traditional CGL Policy unless they are associated with an "advertisement".
The property component of the Commercial Package Policy provides coverage for damage or destruction to financial institution property resulting from covered causes of loss. E-commerce-related property losses include hardware, software and electronic data. Damage or destruction to e-commerce-related property can result in remediation costs, business interruption and extra expenses. It is uncertain at this time if traditional property coverage will apply due to the following reasons:
It is not clear under the property policy whether corrupted software, hardware or data constitute "insured property."
The Insurance Services Office (ISO) has reportedly taken the position that Electronic Data does not constitute property under the newly revised commercial property policy.
Some property policies currently have a Y2K exclusion. The language of these exclusions, while represented as limited to loss arising out of potential Y2K data recognition problems, could be interpreted to exclude all losses arising out of computer malfunction. Thus the Y2K exclusion could have broader implications than initially thought.
Covered causes of loss generally include physical perils such as water, wind and fire. In most cases, property insurance does not cover damage or destruction caused by cyber-perils such as computer viruses or hackers.
Property insurance does not recognize the inherent value of assets in electronic form such as intellectual property or proprietary software.
Geographical considerations may be an issue because property coverage is generally limited to physical premises in the United States, Canada and Puerto Rico.
The potential loss of computer systems or programs due to a virus or hacker could realistically threaten the institution's ability to conduct business for a period of time. Business Income (BI) coverage pays for the loss of income sustained by the institution due to the suspension of operations during the time it takes to return the business to normal operations. Extra Expense (EE) coverage indemnifies the institution for additional expenses incurred to maintain operations during the restoration period.
Banks entering the Internet arena should purchase catastrophic BI coverage to address this exposure. Be sure that any BI coverage contemplated does not contain the following gaps found in standard BI/EE coverage:
Traditional BI coverage may not apply to Internet banking because the suspension of operations must be the direct result of a covered loss such as fire, wind or water. It is not clear if computer viruses, hackers or employee sabotage constitute a covered cause of loss.
The suspension of operations must be caused by direct physical damage or loss of use of property at the financial institution's premises. If the institution is using a third-party service provider, which most financial institutions do either in whole or in part, databases and servers may not be physically located on the institution's premises.
The "period of restoration" generally begins anywhere from 12 to 72 hours after the time of the direct physical loss. The 72-hour downtime is unrealistic in the Internet banking environment.
The traditional Financial Institution Bond does not cover many exposures relative to Internet banking and various other electronic forms of communication. Coverage for some of these exposures may be purchased under the Commercial Computer Crime Policy; however, most financial institutions do not purchase this additional policy. The traditional Bond does not cover:
damage or destruction of electronic data or computer programs due to viruses or hacker activity;
employee sabotage of electronic data or computer programs;
loss of inherent value to intellectual property or proprietary software resulting from misappropriation;
loss of income resulting from an interruption of service (business interruption coverage);
extra expenses associated with an interruption of service;
loss of confidential information;
loss resulting from programming errors, omissions or malfunctions; or
the cost to hire a public relations firm to mitigate reputation loss.
Financial Institution Bond coverage varies by insurance company. Some policies may cover some or all of these risks.
VI. Internet Banking Protection Package
As a result of the potential gaps in traditional insurance policies, many insurance companies are introducing "E-insurance" policies. Most, however, are designed for e-commerce businesses, not for financial institutions engaged in Internet banking.
As you evaluate these new products, you will find that coverage is expensive, mirrors the basic coverages that financial institutions already have under their Bond, and may not address the real gaps in coverage or risks relevant to financial institutions.
In order to address the needs of community banks, the ABA-sponsored insurance program, underwritten by Progressive, has developed an Internet banking insurance program separately for financial institutions engaged in Internet banking. The Internet Banking Protection Package is a unique insurance solution for community banks. Two interconnected policies provide first-party and third-party coverages to fill the gaps where traditional insurance policies do not extend to Internet risks. First-party protection is provided through the Enhanced Financial Institution Bond and third-party protection via a separate and distinct policy - the Internet Banking Liability Policy.
The Internet Banking Protection Package is designed to cover Internet banking, PC/home banking, and other electronic banking activities through the following interconnected policies:
Fills the gaps in the standard Bond by providing coverage for loss due to:
Hackers, Crackers and Viruses
Employee Sabotage
Fraudulent Funds Transfers initiated by voice, fax, email or Internet access
Damage/destruction of data or computer programs
Affirmative, broad-form coverage for suits against the Financial Institution and its directors, officers and employees
Coverage for suits alleging invasion of privacy
Coverage for advertising injury, such as libel, slander and defamation
Coverage for intellectual property claims, including copyright and trademark infringement
Business Interruption
Cyber/Network Extortion
Public Relations Expense
If you have any questions or would like to obtain more information about the Internet Banking Protection Package from Progressive Insurance, please call Progressive at 800-274-5222.
|
PDF documents on this page require Adobe Acrobat PDF Reader.