5 Takeaways From the FFIEC Joint Statement on Cyber Insurance

by Chris Bedel | Apr 13, 2018

 

5TakeawaysFromFFIEC

 

On Wednesday, April 10, 2018, the FFIEC issued a joint statement on cyber insurance, specifically, on how financial institutions manage their coverage.


We've been interested in the role that cyber insurance plays in the information security programs of banks and credit unions for some time now, so we're glad to see regulators enhance their guidance on this.

It's an easy read, but to make it even easier, we've highlighted our top takeaways as this week's Friday 5:

1.  Cyber Insurance is an Evolving Marketplace

In response to an ever-changing landscape, insurance companies are constantly changing the service to align with customer needs and to protect themselves from risk.  That means that various components may change from year to year, including limits, reporting requirements, what is being covered, etc. 

2. Understand your Risk Assessment

Insurance is meant to transfer residual risk that cannot be mitigated to an acceptable level.  How do you know what insurance to buy and how much if you don't understand your cyber risks?  We recommend a solid asset-based risk assessment, along with the FFIEC Cybersecurity Assessment Tool as a start.

3. Involve Multiple Stakeholders in the Decision Making Process

As with almost anything cyber incident related, various perspectives can be really helpful as it's not just IT that is affected by a cyber attack.  Make sure that legal, finance, risk, IT, and Information Security Management (ISO or CISO) are involved.

4. Perform Due Diligence on your Coverage

This goes without saying, but it often gets overlooked or delayed.  Your organization needs to do a review of your coverage areas and where the gaps are.  Understand limits and exclusions and discuss how those gaps would affect specific cyber scenarios.  Make sure your incident response team understands how the coverage is triggered and who is authorized to do so.

5.  Evaluate Cyber Insurance Annually

Consistent with the rest of your information security program, this isn't a one-and-done event.  You should be utilizing items 1-4 once a year to properly manage your coverage.

 

BTW, the PDF of the FIL can be found here:

https://www.fdic.gov/news/news/financial/2018/fil18016a.pdf

 

If you are looking for help with review of your current cyber insurance policy let us know at support@bedelsecurity.com

Want these articles delivered weekly to your inbox? Subscribe to our Newsletter!

Recent Posts

Stay in the Loop!