As banks continue to face threats from cyber incidents, the Federal Financial Institutions Examination Council today issued a joint statement on how its member agencies view the role of cyber insurance in banks’ overall risk management strategies. The statement did not contain any new regulatory expectations.
While banks are not required to have cyber insurance, FFIEC noted that it can be a helpful tool to mitigate risk, but emphasized that a sound control environment remains the primary defense against cyber threats. “Purchasing cyber insurance does not remove the need for a sound control environment,” the agencies said. “Rather, cyber insurance may be a component of a broader risk management strategy that includes identifying, measuring, mitigating and monitoring cyber risk exposure.”
When assessing the costs and benefits of cyber insurance, the agencies recommended that banks involve multiple stakeholders across the organization, perform proper due diligence to understand cyber insurance coverage and identify any gaps, and evaluate cyber insurance as part of an annual review and budgeting process.
ABA Insurance Services, the American Bankers Association’s endorsed insurance provider, offers cyber insurance policies that cover a wide range of cyber and privacy exposures, including data breach liability, cyber liability and cyber publishing and social networking liability.
