While this topic is not usually considered to be in the realm of “compliance,” we wanted to share with you a regulatory update that was just issued and applies to the IT department of each financial institution so that you can pass this information to the appropriate person in your organization.
Yesterday, the FFIEC issued a statement on “Cyber Insurance and Its Potential Role in Risk Management Programs.” This statement was issued jointly by the members of the Council and describes the matters that financial institutions should consider if they are determining whether to use cyber insurance as a component of their risk management programs. Specifically, the guidance focuses on risk management techniques that could be utilized to mitigate financial, operational, legal, compliance, strategic, and reputation risks resulting from fraud, data loss, or disruption of service.
In the release, the FFIEC makes it clear that their statement does not technically contain any new regulatory expectations, but rather is issuing the statement to “provide awareness of the potential role of cyber insurance in financial institution’s risk management programs. The guidance goes on to explain that while cyber insurance is not required by the regulatory agencies, it can be an effective tool for mitigating certain financial risks associated with cyber incidents.
Institutions are reminded in the statement that purchasing cyber insurance does not remove the need for a sound control environment. Rather, cyber insurance can be used as just one component of a larger risk management strategy that includes identifying, measuring, mitigating, and monitoring cyber risk exposure.
The bulk of the guidance focuses on risk management considerations as follows:
- Involving multiple stakeholders in the cyber insurance decision
- Include appropriate departments across the institution such as legal, enterprise risk management, operational risk management, finance, information technology, and information security management.
- Assess the sufficiency of existing control environments to address the potential impact of cyber risk exposures and attestation requirements for the insurance policy.
- Communicate the cyber insurance decision-making process, including the assessment of cyber insurance options, to the appropriate level of management.
- Performing proper due diligence to understand available cyber insurance coverage
- Review the scope of existing or proposed insurance coverage to identify gaps.
- Understand insurance policy terms, coverage, exclusions, and costs for cyber events.
- Consider the potential benefits and costs to assess the insurance coverage appropriateness.
- Avoid overreliance on insurance coverage as a substitute for sound operational risk management practices.
- Recognize that policy terms and language may not be standardized. Coverage may be different among insurance providers and tailored for institutions.
- Consider how the coverage is triggered, if certain types of cyber incidents (e.g., cyber terrorism) are excluded from coverage, and the impact that sub-limits may have in the total coverage and claims process.
- Assess the financial strength (ratings) and claims paying history of insurance companies providing coverage and their ability to fulfill obligations under the policy if multiple institutions file claims.
- Assess how the proposed policies fit within the business strategies, insurance programs, and risk management programs.
- Understand risk management and control requirements outlined in the policy and ensure the institution would be able to comply.
- As appropriate, engage outside advisors, such as attorneys and brokers, to assist in the due diligence process to assess the benefits of cyber insurance relative to the cost.
- Evaluating cyber insurance in the annual insurance review and budgeting process
- Assessing the benefits of cyber insurance relative to the cost.
- Determining the sufficiency of existing insurance coverage as cyber risk exposures, insurance products, and the threat landscape evolve.
- Confirming that any cyber insurance includes coverage expected by the institutions.
- Engaging the board to assess these factors in insurance program reviews.
The full FFIEC statement can be found here.
Thanks for reading this article. If you haven't done so already, make sure you check out our Compliance Clips - free 3-5 minute training videos on all topics of regulatory compliance.