The Federal Financial Institutions Examination Council (“FFIEC”) (an entity consisting of all the federal financial institution regulators and five state regulators) issued a Statement to provide awareness of the potential role of cyber insurance in a financial institutions’ risk management program. The FFIEC makes clear that a bank is not required to obtain cyber insurance and the statement “does not contain any new regulatory expectations.” Cyber insurance should only be viewed as a component of a risk management program. However, bank regulators do not spend their time and effort to issue statements just to remind banks that a certain action is not required. If cyber insurance is not part of you risk management program, now is the time to reconsider the use of cyber insurance to mitigate cyber incursions.
The Statement notes that many aspects of the cyber insurance marketplace, such as terminology, claims history, legal precedents, and risk modeling continue to evolve and are shaping the nature and scope of cyber insurance. Because the cyber insurance marketplace is evolving, coverage options vary greatly. Will it be a stand-alone policy or will it be endorsed as additional coverage to general liability, business interruption, errors and omissions, or directors’ and officers’ policies? Will it cover the risk of loss related to direct expenses incurred by the bank such as costs related to customer notification, event management, business interruption, and cyber extortion? Or will it cover claims made by banks’ customers, partners, or vendors as a result of cyber incidents at financial institutions?
The regulators emphasize that cyber insurance is not a substitute for a sound risk management strategy, but supplements an institution’s effort to mitigate risks associated with cyber-attacks. Each institution is different regarding its existing cyber vulnerability and what it has done to protect against cyber incidents and mitigate the damage that results from potentially successful cyber incursions. Consequently, the elements of a cyber insurance policy will be related to the underwriting that is done by the insurer as it perceives the risks associated with the insured’s cyber program.
The Statement suggests what due diligence a financial institution should consider in determining what is the appropriate cyber insurance policy given the costs and perceived benefits associated with obtaining a policy.
- Review the scope of existing or proposed insurance coverage to identify gaps.
- Understand insurance policy terms, coverage, exclusions, and costs for cyber events.
- Consider the potential benefits and costs to assess the insurance coverage appropriateness.
- Avoid overreliance on insurance coverage as a substitute for sound operational risk management practices.
- Recognize that policy terms and language may not be standardized.
- Coverage may be different among insurance providers and tailored for institutions.
- Consider how the coverage is triggered, if certain types of cyber incidents (e.g., cyber terrorism) are excluded from coverage, and the impact that sub-limits may have in the total coverage and claims process.
- Assess the financial strength (ratings) and claims paying history of insurance companies providing coverage and their ability to fulfill obligations under the policy if multiple institutions file claims.
- Assess how the proposed policies fit within the business strategies, insurance programs, and risk management programs.
- Understand risk management and control requirements outlined in the policy and ensure the institution would be able to comply.
- As appropriate, engage outside advisors, such as attorneys and brokers, to assist in the due diligence process to assess the benefits of cyber insurance relative to the cost.
Engaging in appropriate due diligence can be unexpectedly helpful to identify areas in a bank’s risk management strategy that need correction. In order to issue a policy, an insurer will provide an independent examination of a bank’s risks associated with its cyber security program. This examination might reveal areas of exposure not previously contemplated by the bank. Whether or not insurance is provided to cover such risks will be the subject of negotiation between the bank and the insurer.
Determining what is the proper cyber insurance policy for your institution is a decision that should include input from your Board of Directors. With management’s input, the Board should consider the appropriate amount of insurance that will supplement the bank’s risk management strategy.
Of course, the regulators are not saying cyber insurance is required, but if they go to the trouble of spelling out what a bank should consider in determining if cyber insurance should be a part of a sound risk management strategy, it might be advisable to consider adding it in your annual insurance review.
If you would like more information about making cyber insurance a part of your risk management strategy, please contact Tommy Brooks at email@example.com or call him at 202 552 2356.