On April 10, the Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement discussing cyber insurance and its potential role in the risk management programs of financial institutions. Members of the FFEIC include the Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and State Liaison Committee.
Cyber insurance covers losses related to cyber-attacks and data breaches and may include coverage for customer notification, event management, business interruption, cyber extortion, and claims made by financial institutions’ customers, partners, or vendors as a result of cyber incidents. Traditional general liability or basic business interruption insurance coverage may only partially cover cyber risk exposures or may not cover them at all.
The FFIEC does not currently require financial institutions to maintain cyber insurance. However, the joint statement cites the increasing number and sophistication of cyber-attacks faced by financial institutions and suggests that cyber insurance should be evaluated as an effective addition to an institution’s risk management strategy. The joint statement emphasizes that “cyber insurance does not remove the need for a sound control environment. Rather, cyber insurance may be a component of a broader risk management strategy that includes identifying, measuring, mitigating, and monitoring cyber risk exposure.”
The FFIEC recommends that financial institutions considering cyber insurance do the following:
- Involve multiple stakeholders, such as legal, enterprise and operational risk management, finance, information technology, and information security management, in the cyber insurance decision.
- Perform proper due diligence to understand cyber insurance coverage, triggers, exclusions, and limits.
- Evaluate cyber insurance in the annual insurance review and budgeting process.
The full FFIEC joint statement is available here.