The Federal Financial Institutions Examination Council (“FFIEC”), a U.S. governmental body comprised of banking regulators, recently issued guidance to financial institutions directing them to consider implementing dedicated cyber insurance programs to offset financial losses resulting from cyber incidents. Financial institutions face a number of potentially crippling risks arising from cyber incidents, including financial, operational, legal, compliance, strategic, and reputational risks resulting from fraud, data loss, or disruption of service. While cyber insurance can mitigate these risks, it is not required by financial regulators, and thus many financial institutions may not have obtained such insurance specifically designed to cover their cyber risks. Nonetheless, the FFIEC now is urging financial institutions to include dedicated cyber insurance as part of a multi-faceted cyber risk management strategy and not to rely solely on traditional insurance. In addition, the FFIEC is recommending that financial institutions have their outside advisors review their potential cyber insurance coverage to ensure that it will cover the relevant risks.
The FFIEC has emphasized three important considerations in developing a successful cyber insurance strategy. First, financial institutions should involve multiple stakeholders in their cyber insurance procurement decisions—including members of corporate legal, risk management, financial, and IT departments—to assess the types of risks in need of coverage.
Second, financial institutions should perform appropriate due diligence to understand cyber coverage options and to make sure they are purchasing an adequate product, particularly given how new the products are and how they differ from traditional insurance obtained by financial institutions. To that end, such institutions should consult with insurance coverage counsel to (i) review the scope of cyber coverage and any potential gaps; (ii) understand the policy terms, coverage, exclusions, and costs for cyber events; (iii) consider how coverage will be triggered, whether certain types of cyber incidents are fully or partially excluded, and whether sub-limits may narrow the scope of coverage; (iv) assess the financial and claims histories of insurance companies to gauge their ability to fulfill their obligations under the policy; (v) understand the risk management and control requirements outlined in the policy and ensure that the institution would be able to comply, and (vi) avoid overreliance on insurance coverage as a substitute for sound operational risk management practices.
Third, the FFIEC urges financial institutions to evaluate their cyber insurance programs periodically as part of an annual insurance review and budgeting process. Given that cyber risks are growing considerably, cyber insurance products are rapidly evolving, and cyber coverages are becoming better tailored to specific industries, financial institutions should work with counsel and insurance brokers periodically to confirm that they are selecting the most appropriate cyber coverage.
As the FFIEC has warned, cyber risks are now ubiquitous, and thus cyber insurance coverage should be an important focus of any financial institution’s risk management strategy. Indeed, financial institutions have become an attractive target of hackers and regulators, and failure to procure adequate coverage may potentially leave institutions exposed to government investigations, regulatory fines, and shareholder suits.
Coverage counsel can assist institutions to mitigate the impact to these risks as they become more commonplace in their business operations. The insurance coverage practice group at Hunton Andrews Kurth has deep expertise with cyber insurance coverages and in undertaking the necessary due diligence requirements recommended by the FFIEC.