New Regulatory Guidance About Cybersecurity Insurance
Does your institution need cybersecurity insurance? Is it required? If utilized, are there rules? Cybersecurity insurance can protect against financial loss in the event of a cyber incident, but there are many intricate details.
The Federal Financial Institutions Examination Council (FFIEC) members have provided a joint statement to help financial institutions understand how cyber insurance impacts risk management and what institutions need to do when considering purchasing cyber insurance. The FFIEC statement was issued in conjunction with the OCC, FDIC, Federal Reserve Board, and NCUA.
So, based on the latest guidance, there is no requirement to obtain cyber insurance, but if you decide to obtain cyber insurance there are three steps to consider:
1. Assess current coverage. Don’t assume current general liability or business interruption policies will cover cyber events. One should look for exclusions. If you already have cyber coverage, whether it’s a standalone policy or an additional rider to another policy, make sure you understand its scope. For instance, a policy might cover a cyber breach at the institution but not a third-party vendor breach. It may also exclude cyber terrorism, the FFIEC says.
Also recognize the difference between first-party and third-party coverage and which types of coverage you have. First-party coverage includes direct expenses, such as “customer notification, event management, business interruption, and cyber extortion.” Third-party coverage includes claims made by customers, partners, or vendors due to a cyber incident. Because cyber insurance is an evolving field, terminology and other elements of underwriting vary between providers and can change. Due diligence of your insurance provider’s financial stability and past claim payouts is especially important, particularly if multiple institutions end up filing a claim to a large-scale event.
2. Understand that cyber insurance only covers financial risk. Data breaches, fraud, loss of service, and other issues resulting from cyberattacks can be expensive, but the financial impact is just one risk. Cyber incidents also pose reputational, operational, compliance, legal, and strategic risks.
While cyber insurance can mitigate the financial risk, it’s no substitute for proper risk management, the FFIEC emphasizes, including identifying, measuring, mitigating, and monitoring cyber risk exposure. Strong controls remain critical. Your institution must be able to meet the insurance company’s risk management requirements to remain eligible for coverage and any potential payout. That makes a strong cyber risk management program a must. A strong program that includes all stakeholders can also help an institution make an educated decision about buying cyber insurance by providing the necessary insights into risk exposure.
3. Analyze costs vs. benefits. Once a thorough risk assessment is in place, compare the cost of cyber insurance with its benefits, the FFIEC says. The greater the residual financial risk, the greater the potential benefit for a policy. As risk exposure changes, so might the institution’s need for cyber insurance. Keep the board apprised of developments so they can assess this need.
Cyber insurance is not a one-size-fits all product. Every institution is different, making a careful cyber risk assessment critical when purchasing cyber insurance.
Assess your cyber risk with an online FFIEC cybersecurity assessment tool.