Cyber Insurance Overview
On April 10th, 2018 the FFIEC published a Joint Statement titled “Cyber Insurance and Its Potential Role in Risk Management Programs.” While this statement does not contain any new regulatory expectations, it does contain some items financial institutions should consider.
With the continual increase in both quantity and sophistication of cyber attacks, financial institutions should perform a detailed review of all cyber-related insurance. Many traditional insurance policies do not contain coverage for cyber-based attacks, and while cyber insurance may offset the costs of an attack, it’s important to know what is covered by your existing policies and potential cyber policies.
The cyber insurance marketplace continues to grow with an increasing number of policy types available. The options vary widely, and financial institutions should carefully consider what policy best suits their needs. These policies may be offered as stand-alone policies or as additional endorsements to existing policies, such as general liability or errors and omissions. Additionally, cyber coverage may include both first-party and third-party options. First-party cyber insurance coverage insures against direct expenses such as customer notification, incident event management, business interruption, and cyber extortion. Third-party coverage protects against claims that may be made against the financial institutions from customers or partners.
The institution should also consider the following six key risk areas when evaluating cyber insurance to determine which risks may affect the institution the most: financial, operational, legal, compliance, strategic, and reputational risk. The FFIEC highlights three major risk-mitigation areas to review when considering cyber insurance:
- Involving multiple stakeholders in the cyber insurance decision
- Performing proper due diligence to understand available cyber insurance coverages
- Evaluating cyber insurance in the annual insurance review and budgeting process
Involving Multiple Stakeholders
Stakeholders from different areas of the organization should be included in the decision-making process, including legal, enterprise risk management, operational risk management, IT, Information Security, and finance. The institution should have a good understanding of the current control environment. The entire decision-making process should also be communicated to senior management and the Board of Directors.
Proper Cyber Insurance Due Diligence
The FFIEC highlights a number of due diligence areas to consider when evaluating cyber insurance, including:
- Coverage and terms are going to change between different providers, as there is no real standard yet
- Review and understand the scope, terms, coverages, and costs around specific cyber events. Ransomware is going to be different from a DDoS attack or a data breach
- Recognize HOW cyber insurance coverage is triggered for specific incidents
- Understand what is NOT covered (exclusions) around different cyber incidents
- Research the insurance company’s history of paying claims for cyber incidents and their ability to pay out in the event a cyber incident affects multiple institutions
Make sure you understand the expectations the insurance company has of your organization and the control requirements you will be expected to follow (and your ability to meet those requirements).
Review and Budget
The FFIEC also recommends you review and evaluate cyber insurance annually along with your other insurance policies. Areas of cyber insurance to assess include:
- The cost of cyber insurance relative to its benefits
- Confirming your cyber insurance continues to be adequate considering the evolving threat landscape
- Ensuring current coverages still line up with your expectations
- Keeping the Board and Senior Management updated to current cyber insurance coverages
4 Ways to Mitigate Risk
When it comes to any type of risk, an organization has essentially four options. You can choose to:
- Accept the current risk level and not change anything
- Mitigate the risk by fixing the issue or implementing compensating controls
- Change the risk level by fixing the issue, eliminating the cause of the risk, or limiting Functionality
- Transfer the risk and purchase the insurance
Risk Transference, in the world of Information Security, is the least attractive option for risk-mitigation; not that cyber insurance is not important (it sure is), but because an organization cannot truly transfer all the risk, especially reputational risk. Cyber insurance may cover your expenses, and it can certainly be a saving grace in many cases, but the reputational damage your organization may suffer as the result of a cyber incident cannot be mitigated through insurance.
Implement a Quality Information Security Program
While no new regulatory expectations are included in this statement, financial institutions would be wise to take note and review their insurance policies. Make sure your organization is properly mitigating its risk from cyber incidents, whether it’s by ensuring you have adequate protective and detective controls in place, testing your Information Security Programs to ensure your controls are adequate to prevent an incident, or by looking into cyber insurance as a way to offset some remaining risk. Regardless, if you currently utilize cyber insurance coverage, make sure your organization meets the insurance provider’s expectations, and that the cyber insurance coverage meets your organization’s acceptable risk level. If those two items line up, your institution will be more adequately prepared in the event of an incident.
Written by: Jeff Dice, CISM, CISA
Information Security Consultant - SBS CyberSecurity, LLC
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.