Many financial institutions already realize the importance of cyber insurance coverage, but a joint statement issued by the Federal Financial Institutions Examination Council (FFIEC) last month further emphasizes the need for inclusion of cyber insurance in your risk management program.
Current regulations do not require banks to have cyber insurance coverage, but it can prove to be a critical policy as the number and sophistication of cyber incidents increase. Traditional general liability or business interruption policies do not always provide effective coverage for all potential exposures caused by cyber events. Often cyber events are excluded all together from these policies. Cyber insurance may offset financial losses related to cyber incidents resulting from fraud, data loss or disruption of service.
As cyber attacks increase in frequency, severity and resulting losses, the cyber insurance marketplace continues to grow and evolve. Cyber attacks and breaches are occurring with alarming regularity, and the options for cyber coverage are expanding. Multiple stakeholders in the bank should be involved in assessing the costs and benefits of cyber insurance and evaluating the scope of coverage desired. Cyber insurance policies are available as a standalone policy or as an add-on to an existing policy, such as a general liability policy.
Policies also vary in scope. First party coverage insures against your bank’s direct expenses, such as those related to customer notification and network business interruption. Third party coverage insures against claims by customers or other partners and vendors, such as for wrongful disclosure of personally identifiable information. Some cyber insurance policies also provide regulatory coverage. Consequently, cyber coverage can be an important source of mitigating regulatory risk associated with data breaches.
The FFIEC statement emphasizes that cyber insurance does not eliminate the need for an effective risk management program. Although cyber insurance can be effective for mitigating the financial risk associated with cyber events, financial institutions face a variety of other risks as well. In addition to financial losses, there may be legal or compliance risks, operational risks and reputational risks resulting from a cyber incident.
Particularly for financial institutions, customers trust that their financial wellbeing and confidential information will be safeguarded. Thus, an effective system of controls that identifies, measures, mitigates and monitors cyber threats is still necessary. Cyber insurance should be just one piece of your broader risk management program.