Cyber Insurance for Financial Institutions 101

Banking is now a technology business that provides banking services. With the vast majority of customer interactions and transaction occurring through a digital medium, dealing with cyber attacks and data breaches is going to be a part of standard operating procedure going forward. The Federal Financial Institutions Examination Council (FFIEC) recently released a statement on the importance and potential role of cyber insurance in financial institutions risk management programs. Here, we’ve simplified their guidance with key takeaways.

What are the risks to financial institutions?

The risk to financial institutions from cyber attacks and data breaches is complex and devastating. These can include financial, operational, legal, compliance, strategic and reputation risks resulting from fraud, data loss or disruption of service.

Why purchase cyber insurance coverage?

Cyber attacks and data breaches are on the rise. Remediation of these events are exceedingly costly and traditional insurance policies for general liability or basic business interruption coverage often do not fully cover cyber risk exposure.

What are the cyber insurance coverage options?

These options vary greatly and may be offered on a stand-alone basis or as a rider to an existing policy. Coverage is often structured as first-party and third-party coverage.

First-party coverage: Insures against direct expenses incurred by the insured party and addresses costs related to customer notification, event management, business interruption and cyber extortion.

Third-party coverage: Protects against claims made by financial institutions’ customers, partners or vendors as a result of cyber incidents at financial institutions.

How can risk be mitigated?

Though there is no doubt that cyber insurance is an effective tool for minimizing financial risk associated with cyber incidents, it should be considered the last resort lifeboat. You need it to keep your institution afloat, but if you’re using it, it means you’re already taking on water. As a matter of fact, cyber insurance is not required by agencies. Cyber insurance should be considered a component of a broader risk management strategy, which includes: identifying, measuring, mitigating and monitoring cyber risk exposure. An effective system of controls remains the primary defense against cyber threats.

Obviously financial institutions assessment of cyber insurance benefits should include an analysis of the institutions existing cybersecurity structure and IT risk management programs to evaluate the potential financial impact of residual risk. What other considerations should be taken into account when weighing the benefits and costs of cyber insurance?

  • Include multiple stakeholders and appropriate departments such as legal, enterprise risk management, operational risk management, finance, IT and information security management.
  • Do due diligence to understand the extent of coverage, identify policy gaps, how policy is triggered and financial strength and claims paying history of providing insurance company.
  • Finally, assess how proposed policies fit into your overall business strategy, insurance and risk management program.

The greatest takeaway from all of this advice is to avoid over reliance on insurance coverage as a substitution for sound operational risk management practices.

For a more comprehensive understanding of cyber security and cyber insurance, visit:

FFIEC Cyber Joint Statement on Cyber Insurance

Homeland Security: Cyber Insurance

Homeland Security: Cyber Security Data

Contact Us

Have any questions? Send our team an email and we'll get back to you as soon as posible. *Warning: Do not send or include any information in any email generated through this web site if you consider the information confidential or privileged. By submitting information by email or other communication in response to this web site, you agree that the communication does not create a lawyer-client relationship between you and the law firm and its lawyers and that any information submitted is not confidential and is not privileged. You further acknowledge that, unless the law firm subsequently enters into a lawyer-client relationship with you, any information you provide will not be treated as confidential and any such information may be used adversely to you and for the benefit of current or future clients of the law firm.

Start typing and press Enter to search