The development of the first microprocessor in the late 1960’s was followed by the creation of the Internet. That was the start of the e-Business Revolution. Now the ability to work, learn, purchase, sell, communicate and bank can be performed from almost anywhere that has telephone access.
The popularity of the Internet has transformed the way banks conduct business by providing lower costs and new product sales and services. To take advantage of these new opportunities most banks have joined the e-business revolution or have plans to do so, creating new risks for the bank to consider.
Typical business risks such as fraud, loss of revenue, bad publicity are compounded by those banks engaged in e-commerce. The paperless environment of the Internet increases the risk of theft or loss of confidential data that can be accessed on-line.
Two incidents involve hacker intrusion into systems of major Internet banking service providers over the last few months, as well as the closing of another prominent Internet banking service provider. There was no wrongdoing on the part of the banks. The liability arose from the reliance on the service provider. In each of these scenarios many banks and other financial companies were affected. This led to interruptions of customer access. The banks took various steps to resume service and notify customers.
Recently someone hacked into the servers of an Internet banking vendor. It appears that no money as yet has been transferred between accounts or out of the banks’ affected accounts. Information from many banks was taken. It is impossible to detect whether information was potentially saved as a file on the hacker’s system. The vendor took the server down for several days and notified the banks involved.
It could be months before use of the information is detected. From experience with credit card fraud we know that fraudulent account information often does not surface for many months after the information is obtained
If no funds are transferred from the banks’ accounts why should the bank be concerned or alert customers and risk adverse publicity? Plaintiff’s attorneys fueling consumers’ concerns about Privacy and access to confidential information will not be far behind this intrusion.
Consider these situations:
- Customer A alleges Invasion of Privacy resulting in mental anguish and emotional distress.
- Customer B alleges Negligence by allowing unauthorized access to account information.
- Customer C was unable to access funds while the server was down precluding the completion of a business transaction. The customer alleges loss of Business Opportunity.
- Customer D is denied credit three months after the intrusion because the information obtained through the hack was used to steal the customer’s identity resulting in litigation.
- The bank places an announcement about the situation in an attempt to counter negative publicity. The Internet vendor sues the bank for defamation alleging that the announcement hurt their reputation in the industry.
There are other potential exposures/costs:
- Negative publicity
- Public relations
- Cost to communicate with customers
- Cost to change account numbers, passwords, checks, etc.
- Network extortion
Internet Banking Liability insurance is designed to insure against loss due to litigation consequent to e-commerce usage and coverage for direct expense to remediate e-commerce service.
Generally banks have relied on their insurance agents or business consultants for recommendations regarding traditional business insurance. Unfortunately these traditional insurance products may not meet all of the risks of e-commerce. The very same products, which have provided coverage for physical assets against physical threats, were developed at a time when the term “cyberspace” was considered science fiction. The electronic business exposures must be brought out in the daylight. These exposures should then be compared to the insurance coverage in place to determine what are the uninsured “gaps”.
It is extremely important to have a security policy in place to prevent unauthorized access, and to have a backup service provider if there is a shutdown.
It is prudent for bank management to obtain a quotation for e-Risk Insurance, and to let the Board of Directors know the exposure e-commerce presents, and the terms and cost to insure against these risks.
Bank regulators are now requesting banks to obtain this insurance and Certified Public Accountants soon will be.
