Cybersecurity Covenants in Loan Documents

Written By: Jay L. Hack


In my October 21 blog, I described a new law in New York that will require almost all businesses to adopt formal cybersecurity protection programs. Small businesses ARE NOT exempt, but they have a lesser compliance burden – they must have and implement a cybersecurity protection program that is appropriate based upon the size, nature, and complexity of the business. Should a bank include, in its loan commitment or loan documents, a requirement that borrowers provide a copy of their cybersecurity program, with annual updates? If the customer is engaged in a business that collects a lot of personal information, should the bank require cyber insurance? Should the loan documents also require that the borrower report any computer hacking?

Today’s Takeaway? Each bank needs to evaluate these questions. We recommend that banks adopt a policy, included in the loan policy, that includes an evaluation of whether the nature of the borrower’s business exposes it to a material risk from a cyber attack. Insurance should be treated like flood insurance – if the customer’s business puts it in a risk zone, cyber insurance should be required. Of course, this will also show regulators, who focus on this issue, that the lender is on top of this matter.

about the authors