On April 10, the Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement discussing cyber insurance and its potential role in the risk management programs of financial institutions. Members of the FFEIC include the Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and State Liaison Committee.

Cyber insurance covers losses related to cyber-attacks and data breaches and may include coverage for customer notification, event management, business interruption, cyber-extortion, and claims made by financial institutions’ customers, partners, or vendors as a result of cyber incidents. Traditional general liability or basic business interruption insurance coverage may only partially cover cyber risk exposures or may not cover them at all.

The FFIEC does not currently require financial institutions to maintain cyber insurance. However, the joint statement cites the increasing number and sophistication of cyber-attacks faced by financial institutions and suggests that cyber insurance should be evaluated as an effective addition to an institution’s risk management strategy. The joint statement emphasizes that “cyber insurance does not remove the need for a sound control environment. Rather, cyber insurance may be a component of a broader risk management strategy that includes identifying, measuring, mitigating, and monitoring cyber risk exposure.”

The FFIEC recommends that financial institutions considering cyber insurance do the following:

  • Involve multiple stakeholders, such as legal, enterprise and operational risk management, finance, information technology, and information security management, in the cyber insurance decision.
  • Perform proper due diligence to understand cyber insurance coverage, triggers, exclusions, and limits.
  • Evaluate cyber insurance in the annual insurance review and budgeting process.

The full FFIEC joint statement is available here.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Norman Roos Norman Roos

Norman Roos, a member of Robinson+Cole’s Business Transactions Group, concentrates his practice on transactional, regulatory, and technology matters relating to the financial services and real estate industries. He is also a member of the firm’s Financial Services Cyber-Compliance Team and advises financial institutions…

Norman Roos, a member of Robinson+Cole’s Business Transactions Group, concentrates his practice on transactional, regulatory, and technology matters relating to the financial services and real estate industries. He is also a member of the firm’s Financial Services Cyber-Compliance Team and advises financial institutions concerning data privacy and security matters, particularly in relation to policy planning and implementation.

Mr. Roos is counsel to the Connecticut Mortgage Bankers Association, Inc., and is president-elect of the American College of Mortgage Attorneys where he has served on the Board of Regents and as Connecticut State Chair. A member of the Connecticut Bar Association, Mr. Roos is Past Chair of the Financial Institutions Law Section. He has served on a number of Connecticut Law Revision Study Committees including those on Uniform Common Interest Ownership Act, Electronic Communications, Mortgagor Liability, and Electronic Recording of Land Records. Read his full bio here.

Photo of Scott Baird Scott Baird

Scott M. Baird is an associate in the firm’s Business Transactions and Finance Groups, where his practice involves all aspects of corporate and securities law, including corporate governance, mergers and acquisitions, private equity and venture capital transactions, joint ventures, finance transactions, and securities…

Scott M. Baird is an associate in the firm’s Business Transactions and Finance Groups, where his practice involves all aspects of corporate and securities law, including corporate governance, mergers and acquisitions, private equity and venture capital transactions, joint ventures, finance transactions, and securities law and compliance. He focuses on new legislation as well as regulatory and compliance matters involving financial service institutions. Read his full rc.com bio.