Are BOLI Providers Critical Vendors? The Answer Might Surprise You.

You probably don’t give much thought to your bank-owned life insurance policy (BOLI). Why would you? Insuring senior banking leadership and board members is a routine, check-the-box kind of activity that usually only comes up when it's time to renew your policy.    

Yet a recent cyber breach that impacted a BOLI provider serves as a reminder that there isn’t necessarily anything mundane about a vendor.   

In March 2024, a company that offered bank-owned life insurance reported a cyber breach to the Montana Attorney General. The insurance company’s vendor, a digital platform provider (a fourth-party provider), suffered a breach, leaking many high-level banking employees' names, Social Security numbers, addresses, phone numbers, birth dates, and employment information.  

Financial institutions are right to be concerned about this fourth-party breach. Cybercriminals regularly use the personal information of high-level executives to persuade unsuspecting employees to initiate wire transfers and offer up sensitive data. Imagine a criminal impersonating your bank’s chief financial officer and convincing another organization to give them a $25 million remittance payment – which happened to a company a few months ago, according to a news report from CNN.   

With CEO fraud, a crime that costs companies millions yearly, criminals impersonate executives and C-suite employees through spoofed email accounts (phishing) and social engineering tactics. Posing as executives, CEO fraud succeeds because it preys upon employee fears of failing to accommodate those in positions of power. 

Imagine a teller at another financial institution receiving an “urgent” phone call from a fraudster masquerading as your bank president asking for a transfer payment. Picture an employee receiving an email from your FI’s chief financial officer asking for consumer information from a linked bank account.  

Given the possible repercussions of BOLI cyber breaches, should financial institutions consider these providers critical vendors?

What is a critical vendor?

First, let’s define a critical vendor to see if BOLI providers fit the bill. The recent Interagency Guidance on Third-Party Relationships: Risk Management offers a new definition of a critical vendor.  

The guidance considers critical vendors those that:  

• Pose significant risk if the vendor fails to meet expectations  
• Have a significant impact on customers or  
• Have a significant impact on a bank’s financial condition or operations  

 Does leaking the personal information of your institution’s senior leadership satisfy this definition? Are BOLI providers critical vendors? Not really.  

Pose a significant risk if the vendor fails: This depends on how much an institution invests in BOLI. If an institution has significant BOLI investments, the concentration risk could prove problematic if the vendor fails. This applies to just a handful of small banks, according to the Federal Reserve. 

Impact on customers: None.*  

Impact on banking operations or financial condition: If a vendor failure allows criminals to impersonate your bank president and successfully pull off a wire fraud, chances are it won’t be a sum large enough to cause a significant impact to the institution. It’s a risk, but not a critical risk. 

To answer the question posed earlier, BOLI providers are unlikely to be critical vendors. Traditionally, due diligence for insurers has focused on their financial stability. But financial institutions may want to consider enhanced due diligence for these vendors.  

Hidden risk of BOLI and insurance providers

BOLI providers have access to sensitive personal information about your banking executives and board members, and financial institutions should assess at least some of the following before entering a relationship with them:  

• Compliance with data protection regulations and laws  
• Financial condition  
• Business expertise and the qualifications of key employees  
• Risk management policies, processes, and internal controls  
• Information security posture and IT controls for protecting sensitive data  
• Operational resiliency and business continuity/disaster recovery plans  
• Physical security  
• Subcontracting arrangements, especially with technology service providers (TSPs) who will also have access to your sensitive information   

Related: Vendor Due Diligence for Banks  

As with all decisions, it comes down to risk tolerance. After analyzing the risks posed by a BOLI provider, financial institutions need to ensure the vendor falls within their tolerance—or if there is anything that can be done, whether through the contract or other controls, to make the level of risk acceptable.  

For instance, an institution might be more comfortable including BOLI and other companies with access to sensitive employee data in its tier for its GLBA vendors, requiring enhanced due diligence when it comes to areas like breach notification and incident response. It might want additional cybersecurity insurance on its C-suite or board members.  

Financial institutions may want to work with BOLI vendors to add provisions and clauses to standard contracts that protect the personal information of employees. Does the contract account for the safe storage and disposal of PII? Does it contain service-level agreements (SLAs) that specify the timeline for reporting cyber incidents?  

Other financial institutions might look beyond third-party risk management (TPRM) to broader risk management controls that guard against CEO fraud, such as training employees to recognize phishing and other social engineering scams, and decide on a lower risk tier. They also might scan the dark web for activity relating to its C-suite and board.  

Related: TRPM 101: What is Contract Management for Financial Institutions?  

Vendor cyber monitoring is yet another tool that helps financial institutions proactively manage third-party risk. While it’s impossible to say with certainty that cyber monitoring would have prevented or limited the damage of the breach mentioned above, it might have. Reviewing a critical vendor’s web configurations or looking for signals of a pending attack on the dark web are essential third-party risk controls.  

Defining your high-risk vendors

BOLI providers can have hidden risks that your financial institution isn’t thinking about. What does this say about assessing vendor risk more broadly? Even if an activity performed by a vendor seems straightforward and mundane, financial institutions still need a methodology for classifying critical vendors.  

Don’t make assumptions about vendors. Vendor risk must be measured and quantified with objective assessments, enabling your institution to accurately categorize third parties by risk. Banks and other financial institutions require uniform metrics for determining whether a vendor is high-risk – not gut feelings and guesswork. Third-party risk can only be mitigated if it’s understood.  

Third-party risk management solutions take speculation out of the equation. With the right vendor risk tools, financial institutions can proactively manage third-party relationships, avoiding disasters such as having your bank president’s personal information fall into the laps of criminals. 

*Some credit unions require their employees to be members. In that case, the impact would be minimal to moderate.   

What are the top risks of critical vendors? Read our whitepaper: “The Top 10 Risks Vendors Pose to Your Institution”