The Federal Financial Institutions Examination Council (FFIEC) has issued a joint statement emphasizing the need for lenders and servicers to include cyber insurance in their risk management program. Although the FFIEC did not announce new regulatory requirements or expectations, the announcement is further evidence of what most in the industry have already recognized: Cyber coverage is quickly becoming indispensable.
Among the points highlighted by the FFIEC:
- Financial institutions face a variety of risks from cyber incidents, including risks resulting from fraud, data loss, and disruption of service.
- Traditional insurance coverage may not cover cyber risk exposures.
- Cyber insurance can be an effective tool for mitigating risk.
- Insurance does not remove the need for an effective system of controls as the primary defense to cyber threats.
- The cyber insurance marketplace is growing and evolving, requiring due diligence to determine what insurance products will meet an organization’s needs.
Although not specifically mentioned in the FFIEC statement, financial institutions should be aware that cyber coverage can be an important source of mitigating regulatory risk associated with data breaches – if the organization purchases a policy that provides regulatory coverage. Today, there are a number of insurers offering products that reimburse costs for investigating and responding to a regulatory investigation or enforcement proceeding, as well as provide coverage for administrative penalties. Given amplified scrutiny from regulators in the area of data security, the importance of such coverage continues to increase. With a rapidly changing market, institutions should carefully review policies to be sure that the scope and limitations of coverage match their exposure.