Cyber insurance as a component of risk management for financial institutions

On April 10, 2018, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement on the role of cyber insurance as a crucial component of a firm’s risk management program.

While the FFIEC stressed that cyber insurance “is not required by the agencies,” the clear suggestion when reading between the lines is that firms should be considering cyber insurance as a mechanism for managing risk. Moreover, we’ve seen this requirement begin to appear in state cyber regulations as Vermont now requires covered financial services firms to maintain insurance to manage the risks of cybersecurity breaches.

As has become commonplace with any regulatory proclamation on cyber issues, the FFIEC notes the “increasing number and sophistication of cyber incidents” to reinforce the importance of the joint statement. Although the Council’s recommendation to purchase cyber insurance isn’t particularly groundbreaking, their practical suggestions for analyzing risk and emphasizing a cross-functional approach to procurement can be helpful to those learning about the marketplace.

As a threshold matter, the FFIEC describes the state of the cyber insurance market noting that “coverage options vary greatly and may be offered on a stand-alone basis or as additional coverage endorsed to existing insurance policies.”

Cyber insurance may be offered as a first-party or third-party coverage — the former covering costs that the insured may incur related to customer notifications, business interruption and extortion, while the latter covers claims made against the insured by third parties like customers and vendors for issues relating to cyber incidents.

The fact that cyber insurance coverage has not been standardized cannot be overstated. The importance of due diligence during the selection process is critical simply because of the variation among policies and carriers.

The FFIEC recommends “involving multiple stakeholders in the cyber insurance decision” to ensure alignment from a strategic perspective.

As a first step, the FFIEC suggests gathering representatives from IT, information security, operational risk, compliance and finance to “assess the sufficiency of existing control environments” to determine potential risks. Akin to the familiar exercise of drafting narrowly tailored policies and procedures, the Council states that understanding the nuances of your firm’s IT configurations, organizational hierarchies and compliance processes are essential in making informed decisions about the appropriate risks that may be mitigated by cyber insurance.

Following an internal risk assessment, the FFIEC stresses the importance of a comprehensive vetting of cyber insurance policies with an emphasis on the following areas:

  • The status of existing general liability and business interruption policies
  • Variance in defined terms
  • Triggering events for coverage
  • Exclusions
  • Financial sufficiency of the carrier itself

The FFIEC states that firms should not approach cyber insurance as a “substitute for sound operational risk management practices,” but rather to protect against specific risks. One of the most important recommendations is to work with third parties like attorneys and brokers to help interpret policy terms, evaluate coverage gaps and compare quotes from carriers.  

Lastly, the FFIEC describes measures that firms should take to incorporate cyber insurance into annual budgeting and risk review processes. Firms should review coverage on a yearly basis, assess emerging risks to confirm the adequacy of coverage and ensure that key decision makers have transparency into the status of, and changes to, cyber insurance policies.

As a basic framework, the FFIEC joint statement provides instructive, high level guidance to prompt structured thinking about, and deeper engagement on, the procurement of cyber insurance as a critical component of a firm’s risk management program.

Comments are closed.