The Federal Financial Institutions Examination Council (“FFIEC”), a U.S. governmental body comprised of banking regulators, recently issued guidance to financial institutions directing them to consider implementing dedicated cyber insurance programs to offset financial losses resulting from cyber incidents. Financial institutions face a number of potentially crippling risks arising from cyber incidents, including financial, operational, legal, compliance, strategic, and reputational risks resulting from fraud, data loss, or disruption of service. While cyber insurance can mitigate these risks, it is not required by financial regulators, and thus many financial institutions may not have obtained such insurance specifically designed to cover their cyber risks. Nonetheless, the FFIEC now is urging financial institutions to include dedicated cyber insurance as part of a multi-faceted cyber risk management strategy and not to rely solely on traditional insurance. In addition, the FFIEC is recommending that financial institutions have their outside advisors review their potential cyber insurance coverage to ensure that it will cover the relevant risks.
The United States Court of Appeals for the Ninth Circuit recently held in Federal Deposit Insurance Corporation v. BancInsure, Inc., that an action by the FDIC against a failed bank’s former directors and officers was excluded by a D&O policy’s “insured vs. insured” exclusion. Against the backdrop of recent decisions finding similar exclusions to be ambiguous as to FDIC actions, such as St. Paul Mercury Ins. Co. v. Federal Deposit Ins. Corp., No. 14-56830 (9th Cir. Oct. 19, 2016) (previously discussed in this client alert), this decision shows how insurers continue to proactively adjust policy language to fit evolving and new exposures. Policyholders should be doing the same.