Federal bank regulators issued a statement on April 10 alerting banks of risk management issues regarding cyber insurance coverage.
The statement was issued jointly by the Federal Reserve, FDIC, OCC, NCUA and CFPB through their affiliation in the Federal Financial Institutions Examination Council (FFIEC).
Statement cites cyber incident risk and role of insurance
The statement acknowledges the increasing number and sophistication of cyber incidents, such as data breaches, that make consideration and evaluation of cyber insurance protections worthwhile for banks of all sizes.
Although the regulators do not require banks to obtain cyber insurance coverage, the statement explains that such coverage can be an important part of a bank’s overall risk management program by offsetting losses stemming from cyber incident risks. Those losses can result from customer identity theft, fraud and even extortion. Losses can include income decreases, lawsuits, regulatory fines and reputation damage.
Evaluation of cyber insurance coverage and related risks
In considering a cyber insurance policy, the statement advises each bank to involve multiple stakeholders within its organization (for example, legal, risk management, IT and financial staff) to review the bank’s existing control environment and related cyber risks. The statement also advises banks to consider due diligence to evaluate existing and potential cyber insurance coverage by:
Reviewing coverage scope and identifying gaps;
Understanding coverage triggers, limits, sub-limits, exclusions and costs;
Assessing the financial strength and claims paying history of the insurance carrier;
Understanding the policy’s risk management requirements for the bank that may impact coverage; and
Avoiding over-reliance on insurance coverage to mitigate cyber risks.
Cyber insurance policy variances
Cyber insurance can be obtained in stand-alone policies. General liability and other types of standard insurance policies may include some coverage for cyber incidents, but banks should not assume this without confirmation. The standard general liability policy, typical directors’ and officers’ liability policies, and many other liability policies are unlikely to satisfy first party loss suffered by the insured, including its expenses in responding to a cyber incident.
Cyber insurance policy coverage can vary greatly by provider and policy type, so banks should be careful to ensure that they fully understand their existing and potential coverage to properly manage cyber risks.
Thompson Coburn cyber insurance program and cyber incident response practice
In 2017, Thompson Coburn presented an overview of cyber insurance coverage issues and risks for the Association of Corporate Counsel, entitled “Are you protected? Insurance coverage for cyber risks” at the St. Louis Chapter Corporate Counsel Institute. This presentation (which is accessible via the link above) provided a more in-depth review of some of the issues addressed in the FFIEC joint statement.
Thompson Coburn partners have advised clients on cyber insurance issues through evaluation of policies being reviewed, as well as through the claims process that unfolds after a cyber incident. Thompson Coburn also has a cybersecurity practice group devoted to managing cyber incident response for clients.