FFIEC Proposes a To-Do List Concerning Cyber Insurance

The Federal Financial Institutions Examination Council warned credit unions and other financial institutions to think carefully about cyber insurance, according to a statement from the regulator today.

The regulator said that as more and more data breaches and security incidents make headlines, credit unions and other financial institutions should gather the right people, do the right research and make enough room in the budget if they’re going to buy cyber insurance, which typically protects against claims from members, partners or venders as a result of a data breach or other cyber incident at a financial institution.

“The FFIEC members do not require financial institutions to maintain cyber insurance. The evolving cyber insurance market and the shifting cyber threat landscape may, however, prompt financial institutions to consider whether cyber insurance would be an effective part of their overall risk management programs,” it said.

The FFIEC also noted that cyber insurance coverage options vary greatly and might come as stand-alone policies or live in parts of other coverage, such as general liability, business interruption, errors and omissions or other policies. Understanding the scope of coverage is critical, it cautioned.

“The increasing number and sophistication of cyber incidents affect financial institutions of all sizes, and remediation of cyber incidents can be costly. Traditional insurance policies for general liability or basic business interruption coverage may not fully cover cyber risk exposures without special endorsement or by exclusion not cover them at all. Coverage may also be limited and not cover incidents caused by or tracked to outside vendors,” it said. “Cyber insurance may offset financial losses from a variety of exposures, such as data breaches resulting in the loss of sensitive customer information.”

Credit unions and other financial institutions considering buying cyber insurance should do three things, the FFIEC warned.

• First, they should involve multiple stakeholders and all the appropriate departments in the institution to determine whether internal controls address cyber risk vulnerabilities. They should also work together during the cyber insurance decision-making process, the FFIEC said.
• Second, credit unions and other financial institutions should do the right homework on cyber insurance coverage. Among other things, they should look for coverage gaps, know the deductibles and coverage terms, know what kinds of events trigger coverage, check on the financial strength of the insurer and know what the institution needs to do to comply with each policy’s risk-management and control requirements, the FFIEC said.
• Third, the FFIEC said credit unions and other financial institutions should weigh the costs and benefits of cyber insurance during their annual insurance reviews and budgeting processes. That includes making sure there’s enough coverage, confirming what’s covered and making sure the board is engaged.

The FFIEC also warned credit unions and other financial institutions not to get lazy if they do buy cyber insurance.

“As with any insurance coverage, cyber insurance does not diminish the importance of a sound control environment. Rather, cyber insurance may be a component of a broader risk management strategy that includes identifying, measuring, mitigating, and monitoring cyber risk exposure,” it said.

The FFIEC prescribes uniform principles, standards, and report forms for the federal examination of financial institutions. Its members include the NCUA, CFPB, FDIC, Federal Reserve and OCC.