On April 10, 2018, the FFIEC issued a joint statement regarding Cyber Insurance and its role in Risk Management programs.
With Cybersecurity events becoming commonplace, do you have the proper insurance to protect the bank and its assets? Although Cyber Insurance may be a part of the Risk Mitigation program, it is not the final word. Understanding the part that Cyber Insurance plays is critical.
Cyber Insurance can cover two important aspects of risk. The first coverage is for any matter for which the bank is directly responsible. Secondly, any matter that impacts a bank vendor has the potential to create a claim against the bank itself. Review the policy to ensure that the policy implemented is structured to protect the bank from both aspects of risk, both first‐ and third‐party.
The coverage that protects the bank directly may include things such as the following:
- Customer notification costs,
- Business interruption, and
- Cyber extortion.
Third‐party coverage protects the bank against cyber incident claims from other sources such as:
- Other financial institutions,
- Customers, and
- Vendors.
The best offense is a good defense! The best place to start is ensuring that your environment is as secure as possible. The items below may have an impact on the cyber insurance policy itself.
- Review your current cybersecurity framework to ensure that the bank is effectively mitigating its exposure to cybersecurity events based on the current threat environment which includes but is not limited to:
- Password review,
- Firewall review
- Non‐Public Information (NPI),
- Access to data on an as‐needed basis, and
- Risk Assessment review.
- Review your Vendor Management program to ensure that third parties are in line with your expectations of a secure environment. o
- Ensure that your vendors have breach notification clauses in the contract, so the bank is made aware of any incidents from that vendor.
Involve other impacted parties to understand the risks and benefits associated with Cyber Insurance and perform a Risk Assessment to understand any of the gaps in your current policy.
An important note: The best insurance policy is the one that isn’t needed. By ensuring that solid controls are in place, your exposure is reduced, but not eliminated.
Additionally, the Department of Homeland Security has created working committees to bring additional benefits to crafting Cyber Insurance policies. They have created a repository of cyber incident data which is intended to foster improved communication of cyber incidents and ways to improve cybersecurity defenses. The net goal of these working committees is to reduce the cost and reward businesses for good cybersecurity hygiene.
If you would like assistance reviewing your Cyber Insurance policies, please contact Jim Baron, Director of Technology and Risk Management Services at [email protected] or direct at 630‐770‐8982.
Here’s a link to the announcement on the FFIEC website. From here you can download the entire text of the joint statement: https://www.ffiec.gov/press/pdf/FFIEC%20Joint%20Statement%20Cyber%20Insurance%20FINAL.pdf
