The Federal Financial Institutions Examination Council (FFIEC) issued a joint statement in April emphasizing the need for companies in the financial sector to include cyber insurance in their risk management program. Although the FFIEC did not announce new regulatory requirements or expectations, the announcement is further evidence of what most businesses have already recognized: Cyber coverage is quickly becoming indispensable.
Among the points highlighted by the FFIEC:
- Institutions face a variety of risks from cyber incidents, including risks resulting from fraud, data loss, and disruption of service.
- Traditional insurance coverage may not cover cyber risk exposures.
- Cyber insurance can be an effective tool for mitigating risk.
- Insurance does not remove the need for an effective system of controls as the primary defense to cyber threats.
- The cyber insurance marketplace is growing and evolving, requiring due diligence to determine what insurance products will meet an organization’s needs.
Although not specifically mentioned in the FFIEC statement, businesses should be aware that cyber coverage can be an important source of mitigating regulatory risk associated with data breaches – if the organization purchases a policy that provides regulatory coverage. Today, there are a number of insurers offering products that reimburse costs for investigating and responding to a regulatory investigation or enforcement proceeding, as well as provide coverage for administrative penalties. Given amplified scrutiny from regulators in the area of data security, the importance of such coverage continues to increase. With a rapidly changing market, institutions should carefully review policies to be sure that the scope and limitations of coverage match their exposure.
Republished with permission. This blog post was modified for the It Pays to Be Covered blog. The blog post originally appeared on Bradley’s Financial Services Perspectives blog on April 17, 2018.