Last week, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement regarding cyber insurance from its member agencies: the Board of Governors of the Federal Reserve System (FED), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). The FFIEC indicated that the purpose of the statement was “to provide awareness of the potential role of cyber insurance in financial institutions’ risk management programs.”
While the statement specifically states that it does not contain “any new regulatory expectations” and that cyber insurance is not required by any member agencies, it also describes various factors in the existing environment that call for broader awareness, and the possible acquisition, of cyber insurance:
- The ever-growing threat of cyber attack: Symantec’s Internet Security Threat Report of March 2018 provides additional context for this factor: “With each passing year, not only has the sheer volume of threats increased, but the threat landscape has become more diverse, with attackers working harder to discover new avenues of attack and cover their tracks while doing so.”
- Possible inadequacy of general insurance policies: The FFIEC notes that, “traditional insurance policies for general liability or basic business interruption coverage may not fully cover cyber risk exposures without special endorsement or by exclusion not cover them at all.” In addition, “coverage may also be limited and not cover incidents caused by or tracked to outside vendors.”
- Evolution of cyber insurance marketplace: As cyber attacks grow and evolve, so too does this particular segment of the insurance marketplace.
- And everything is at risk: The FFIEC warns that nearly every aspect of a financial institution can be harmed by cyber attacks: its financial footing, operational status, legal posture, compliance adherence, strategic plan, and reputation.
First-party Coverage Versus Third-party Coverage
The FFIEC notes that cyber insurance can be structure multiple ways, from a stand-alone policy to a specific cybersecurity endorsement added to an existing policy. It also explains the difference between first-party and third-party coverage:
- First-party coverage: “Insures direct expenses incurred by the insured party and may address costs related to customer notification, event management, business interruption, and cyber extortions” (i.e., ransomware attacks).
- Third-party coverage: “Protects against the claims made by financial institutions’ customers, partners, or vendors as a result of cyber incidents at financial institutions.”
Analyzing the Need for Cyber Insurance
For institutions trying to determine whether or not they need cyber insurance, the FFIEC recommends the following actions:
- Ensure all key parties are involved in the decision-making process: This includes representatives–with expertise and authority–from legal, risk management, finance, information technology, and information security.
- Conduct appropriate due diligence: This covers both internal due diligence (i.e., compare what you currently have with what you need to fill any insurance gaps) and external due diligence (i.e., examine and analyze possible cyber insurance vendors as you would other third-party vendors).
- Review cyber insurance needs periodically: The FFIEC recommends including cyber insurance in your annual insurance review and budgeting process.
The Final Word
The FFIEC makes it clear that while cyber insurance can help protect financial institutions, it does not relieve them of their information security obligations. “Purchasing cyber insurance does not remove the need for a sound control environment,” which “may be a component of a broader risk management strategy.”