Banking is now a technology business that provides banking services. With the vast majority of customer interactions and transaction occurring through a digital medium, dealing with cyber attacks and data breaches is going to be a part of standard operating procedure going forward. The Federal Financial Institutions Examination Council (FFIEC) recently released a statement on the importance and potential role of cyber insurance in financial institutions risk management programs. Here, we’ve simplified their guidance with key takeaways.
What are the risks to financial institutions?
The risk to financial institutions from cyber attacks and data breaches is complex and devastating. These can include financial, operational, legal, compliance, strategic and reputation risks resulting from fraud, data loss or disruption of service.
Why purchase cyber insurance coverage?
Cyber attacks and data breaches are on the rise. Remediation of these events are exceedingly costly and traditional insurance policies for general liability or basic business interruption coverage often do not fully cover cyber risk exposure.
What are the cyber insurance coverage options?
These options vary greatly and may be offered on a stand-alone basis or as a rider to an existing policy. Coverage is often structured as first-party and third-party coverage.
First-party coverage: Insures against direct expenses incurred by the insured party and addresses costs related to customer notification, event management, business interruption and cyber extortion.
Third-party coverage: Protects against claims made by financial institutions’ customers, partners or vendors as a result of cyber incidents at financial institutions.
How can risk be mitigated?
Though there is no doubt that cyber insurance is an effective tool for minimizing financial risk associated with cyber incidents, it should be considered the last resort lifeboat. You need it to keep your institution afloat, but if you’re using it, it means you’re already taking on water. As a matter of fact, cyber insurance is not required by agencies. Cyber insurance should be considered a component of a broader risk management strategy, which includes: identifying, measuring, mitigating and monitoring cyber risk exposure. An effective system of controls remains the primary defense against cyber threats.
Obviously financial institutions assessment of cyber insurance benefits should include an analysis of the institutions existing cybersecurity structure and IT risk management programs to evaluate the potential financial impact of residual risk. What other considerations should be taken into account when weighing the benefits and costs of cyber insurance?
- Include multiple stakeholders and appropriate departments such as legal, enterprise risk management, operational risk management, finance, IT and information security management.
- Do due diligence to understand the extent of coverage, identify policy gaps, how policy is triggered and financial strength and claims paying history of providing insurance company.
- Finally, assess how proposed policies fit into your overall business strategy, insurance and risk management program.
The greatest takeaway from all of this advice is to avoid over reliance on insurance coverage as a substitution for sound operational risk management practices.
For a more comprehensive understanding of cyber security and cyber insurance, visit: