On April 10, 2018, the Federal Financial Institutions Examination Council (the “FFIEC”), an interagency body composed of the Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency and the State Liaison Committee, issued guidance to assist financial institutions in analyzing the use of cyber insurance in an effective risk management program (the “Guidance”).
The Guidance provides, among other things, that in evaluating cyber insurance options institutions should:
- Involve Multiple Stakeholders in the Cyber Insurance Decision. Involve multiple stakeholders, including management and appropriate departments, in assessing the sufficiency of existing control environments to address cyber risk exposure.
- Perform Due Diligence. Perform adequate due diligence to understand available options for cyber insurance coverage and to understand the following: (i) the policy’s terms, coverage exclusions and costs; (ii) the potential benefits and costs associated with the insurance coverage; (iii) the variances in different kinds of policies from different providers; (iv) how coverage is triggered and how exclusions to coverage apply; (v) the financial strength (ratings) and claims paying history of the insurance company providing the coverage; and (vi) that outside advisors, such as attorneys, may assist in the due diligence process to assess the benefits of cyber insurance relative to cost.
- Evaluate Cyber Insurance Annually. Evaluate cyber insurance in the annual insurance review and budgeting process at the board of directors level.
The Guidance states that “it does not contain any new regulatory expectations.” However, another way to interpret the Guidance is that it constitutes a strong suggestion that every covered institution should carefully consider the benefits of cyber insurance and, should it opt out of such coverage, to have well documented reasons in support of that decision.