Guidance provided on ‘cyber insurance,’ but exam council calls ‘effective controls’ still the best defense

Guidance for financial institutions considering special insurance to offset financial losses from data breaches and other cyber incidents is offered in a joint statement released Tuesday by federal financial institution regulators.

However, the regulators noted that they do not now require financial institutions to maintain cyber insurance. “This statement does not contain any new regulatory expectations,” according to the statement.

In the statement issued by the Federal Financial Institutions Examination Council (FFIEC, which includes all five federal financial institutions regulators and representatives of state financial regulators), the council conceded that cyber insurance could offset financial losses from data breaches resulting in loss of confidential information (among other things) that is not covered by more traditional protection, and may be considered in financial institutions’ overall risk management.

“The evolving cyber insurance market and the shifting cyber threat landscape may, however, prompt financial institutions to consider whether cyber insurance would be an effective part of their overall risk management programs,” the exam council said in a release.

“Financial institution management should assess the scope of coverage of current insurance and consider how cyber insurance may fit into the institution’s overall risk management framework,” the release states.

The FFIEC is an umbrella group made up of the five federal financial institution regulators (the Federal Reserve, Consumer Financial Protection Bureau (CFPB), Federal Deposit Insurance Corp. (FDIC), National Credit Union Administration (NCUA), and the Office of the Comptroller of the Currency [OCC]) and the council’s State Liaison Committee (SLC, made up of representatives of state financial regulators).

In their joint statement, the regulators made clear that insurance is only one component of a risk management strategy. “An effective system of controls remains the primary defense against cyber threats,” according to the statement.

The exam council lists a number of considerations and actions to take for financial institutions weighing the insurance coverage, including:

  • Involving multiple stakeholders in the cyber insurance decision;
  • Performing proper due diligence to understand available cyber insurance coverage;
  • Evaluating cyber insurance in the annual insurance review and budgeting process.

“Financial institutions ultimately remain responsible for maintaining a control environment consistent with the guidance outlined in the FFIEC IT Examination Handbook,” the statement concludes.

Joint Statement on Cyber Insurance and Its Potential Role in Risk Management Programs (PDF)