On April 11, 2018, the U.S. Federal Financial Institutions Examination Council members released a joint statement with respect to cyber insurance and its role in risk management. FFIEC members include the Federal Reserve, the OCC and the FDIC. The statement and corresponding press release note that the frequency, sophistication and severity of cybersecurity incidents are increasing. As a result, general insurance policies may not provide adequate coverage in the event of a cybersecurity event and cyber insurance options are increasing and evolving in response to these factors. The statement highlights that cyber insurance options vary greatly, and can be in the form of either a standalone policy or an endorsement to an existing insurance policy. The statement cautions, however, that cyber insurance should be viewed as a risk mitigation tool and not as an alternative to sound internal controls, policies and procedures to guard against cybersecurity events. The statement notes that institutions, in considering cyber insurance, should assess their existing cybersecurity risk framework to determine the potential impact and magnitude of residual risk. In weighing cost and benefits of cyber insurance, the statement suggests that institutions should consider involving multiple stakeholders in the decision-making process, perform adequate due diligence to fully understand available policies and coverage options and incorporate cyber insurance into their annual budgeting processes.
The full text of the FFIEC statement is available at: https://www.ffiec.gov/press/pdf/FFIEC%20Joint%20Statement%20Cyber%20Insurance%20FINAL.pdf.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
