The FFIEC issued a joint statement in early April 2018 addressing Cyber Insurance and its potential role in Risk Management Programs for Financial Institutions. There are several items in this release that I wanted to touch on.
First of all, they are very clear that this statement does not contain any new regulatory expectations. This may be true for now, but as consumer confidence begins to fail, in that institutions can keep their private information safe, we are going to see increased pressure on these regulatory bodies to act. This is a readily available arrow in their quiver that they are sure to reach for. Where Cyber Insurance rates are relatively cheap, it may not be a bad time to get a policy and start building experience that underwriters can use when determining rates further down the road.
The next point that I want to touch upon is that “traditional insurance policies for General Liability or Basic Business Interruption coverage may not fully cover cyber risk exposures”. This is a great point for them to bring up as it is not common knowledge that most events relating to a Cyber or Digital nature are generally excluded in unendorsed insurance policies.
Another good point that they bring up involves the terminology surrounding Cyber Insurance. This is where I think most of the headache comes from. An insurance policy can say “Cyber Insurance” but what does that really mean? Within Cyber Insurance there are many different coverages that perform different functions so how can you really know if you are covered? Understanding the coverages and exposures is critical to know if you are truly protected. Having a good agent to help walk you through this area is particularly important.
Under the “Risk Mitigation” section of the statement it talks about how “cyber insurance may be an effective tool for mitigating financial risk” and how “Purchasing cyber insurance does not remove the need for a sound control environment”. This is a great point. The best insurance loss is the one that never happens! Having a robust and proactive Cyber Defense Plan should be the first line of defense. Cyber Insurance is for the unknown and unexpected.
Under this same section it talks about “Performing proper due diligence to understand available cyber insurance coverage”. For anyone not trained in insurance this can be a pretty daunting task.
One of the most difficult things to deal with when it comes to Cyber Insurance is that the policies are not standardized. When a financial institution purchases a General Liability policy, no matter what company, the coverages are generally going to be the same. However with Cyber Insurance, you can’t just purchase a Cyber Policy and trust that all of the necessary coverages are going to be there. You have to first identify what the exposures are to your institution and then craft the policy around it. Each institution is different therefore each policy is going to be different in one way or another.
This is a complicated and evolving area of insurance. It is becoming increasingly evident that it is going to continue to grow in importance, especially in the financial sphere. The best way to navigate this is by having a competent and trained insurance professional.