The Federal Financial Institutions Examination Council (“FFIEC”), a U.S. governmental body comprised of banking regulators, recently issued guidance to financial institutions directing them to consider implementing dedicated cyber insurance programs to offset financial losses resulting from cyber incidents. Financial institutions face a number of potentially crippling risks arising from cyber incidents, including financial, operational, legal, compliance, strategic, and reputational risks resulting from fraud, data loss, or disruption of service. While cyber insurance can mitigate these risks, it is not required by financial regulators, and thus many financial institutions may not have obtained such insurance specifically designed to cover their cyber risks. Nonetheless, the FFIEC now is urging financial institutions to include dedicated cyber insurance as part of a multi-faceted cyber risk management strategy and not to rely solely on traditional insurance. In addition, the FFIEC is recommending that financial institutions have their outside advisors review their potential cyber insurance coverage to ensure that it will cover the relevant risks.
May 25, 2018 should be a day circled on many company calendars. On that day, the European Union’s long-awaited Global Data Protection Regulation (“GDPR”) will go into effect. It is crucial for U.S. companies to prepare for the GDPR, as they, too, will be required to comply with a new set of data privacy rules if they are handling data from EU-based customers, suppliers, or affiliates. As long as you collect personal or behavioral data from someone in the EU, you must comply with the GDPR.
Last week Bloomberg Law launched an online “cyber insurance suite” authored by Hunton attorneys, Walter J. Andrews, Sergio F. Oehninger, and Patrick M. McDermott. The online suite, available here and to Bloomberg subscribers, covers all aspects of cyber insurance, including identifying the major cyber risks and liabilities, applying for and obtaining cyber insurance coverage, and submitting claims under cyber coverages. It also contains an overview of case law evaluating coverage for cyber liabilities under traditional insurance policies and under cyber specific insurance policies. Hunton will regularly update the suite as the risks, coverages, and law continues to develop.
Cyber and crime insurance policies have been heavily recommended to address the growing prevalence and types of cyber risks. Walter Andrews and Jennifer White recently authored an article appearing in Risk Management discussing how the purchase of cyber and crime insurance policies alone is not enough to successfully manage these risks. These policies must be carefully evaluated and tailored to the particulars of each organization. The full article is available here. In the article, Andrews and White identify four key questions that every organization must ask when purchasing cyber and crime insurance policies to ensure that their cyber coverage is sufficient to meet their organization’s needs.