April 19, 2018
Got Cyber Insurance – WST
Got Cyber Insurance?
Last week, the FDIC issued a statement, link below, to provide awareness of the potential role of cyber insurance in financial institutions’ risk management program. The use of cyber insurance may offset financial losses resulting from cyber incidents (e.g., data loss, fraud, etc.) that may not be covered by traditional insurance policies. Even though institutions are not required to maintain cyber insurance, they should consider how it may augment their risk management framework. While cyber insurance may be an effective tool for mitigating financial risk associated with cyber incidents, it does not replace an existing risk management program, and does not lessen the need for adequate cyber (technical) controls.
When an institution is evaluating their cyber insurance needs, they should first assess the benefits and include an analysis of the existing cyber security/IT risk management programs. Below are some elements to consider when weighing the benefits and costs of cyber insurance:
- Involve multiple stakeholders (e.g., legal, risk management, finance, IT, etc.) in the cyber insurance decision.
- Understand available cyber insurance coverage. Identify gaps, understand insurance policy terms and language, exclusions, and costs.
- Understand any specific requirements regarding breaches or other cyber incidents. Some policies have specific requirements on insurer notification procedures, and computer forensic investigation company restrictions.
- Evaluate cyber insurance in an annual insurance review and budget process. Include the IT staff so they can explain or weigh in on any technical portions. Determine if there is sufficient coverage as risk exposures, insurance products, and the threat landscape evolve.
FDIC Statement: https://www.fdic.gov/news/news/financial/2018/fil18016.html