In a Joint Statement issued this week, the Federal Financial Institutions Examination Council (“FFIEC”) – which comprises the principals of the Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and State Liaison Committee – cautioned the financial sector not to over-rely on the risk-transfer capabilities of Cyber Insurance in lieu of maintaining robust security controls. The FFIEC’s Joint Statement is available here.
As many reading this will already know, federal laws such as the Gramm-Leach Bliley Act (“GLBA”) and state laws such as New York’s latest cutting-edge Cybersecurity Requirements for Financial Services Companies require covered organizations to implement comprehensive security controls. The GLBA, for instance, requires consumer-facing financial institutions offering goods and services for personal, family or household purposes to implement “information security programs” addressing various administrative, technical and physical safeguards necessary to protect sensitive consumer information. While this law focuses on the confidentiality of consumers’ non-public financial information, invariably organizations governed by the GLBA must approach compliance holistically throughout their operations. See 16 CFR Part 314.
New York has codified this holistic view of cybersecurity in its new Cybersecurity Regulations by explicitly requiring regulated entities also to protect any “business information” that could result in “…material adverse impact to the business, operations or security” of the organization if compromised by a malicious third-party. See 23 NYCRR 500 et seq. Unlike the GLBA, New York’s Cybersecurity Regulations also are not limited to companies offering consumer-facing financial goods and services, but instead broadly capture any entity operating under New York’s Banking Law, Insurance Law, or Financial Services Law. These organizations must now maintain comprehensive Cybersecurity Programs and Cybersecurity Policies that address information system security, business continuity, disaster recovery, and incident response for both consumer and other “sensitive” information. Our full analysis of New York’s regulation may be found here.
With these regulations at the forefront, the financial sector should take heed of the FFEIC’s Joint Statement and not over-rely on transferring their risk through Cyber Insurance at the cost of implementing inadequate security controls. Yet, as the FFIEC acknowledged, Cyber Insurance will continue to play a critically important (and ever evolving) role in managing the residual risks organizations face despite their good faith efforts to adequately protect against threat actors.
While Cyber Insurance should not be viewed as a replacement for sound controls or even as a bar against which to gauge their reasonableness, Cyber Insurance nonetheless will continue to serve a necessary role in the enterprise risk management processes of nearly every organization in the financial sector.
From the perspectives of both parties to the insurance relationship, considerable thought should be given at the underwriting stage to the security-related attestations used to bind coverage. Are the questionnaires adequately broad to elicit an accurate description of the technical risks actually facing the insured? What mechanisms have both parties employed to develop and test responses to these questionnaires and more importantly, the insured’s actual security protocols? Can information asymmetries be satisfied through warranties?