We've been interested in the role that cyber insurance plays in the information security programs of banks and credit unions for some time now, so we're glad to see regulators enhance their guidance on this.
It's an easy read, but to make it even easier, we've highlighted our top takeaways as this week's Friday 5:
In response to an ever-changing landscape, insurance companies are constantly changing the service to align with customer needs and to protect themselves from risk. That means that various components may change from year to year, including limits, reporting requirements, what is being covered, etc.
Insurance is meant to transfer residual risk that cannot be mitigated to an acceptable level. How do you know what insurance to buy and how much if you don't understand your cyber risks? We recommend a solid asset-based risk assessment, along with the FFIEC Cybersecurity Assessment Tool as a start.
As with almost anything cyber incident related, various perspectives can be really helpful as it's not just IT that is affected by a cyber attack. Make sure that legal, finance, risk, IT, and Information Security Management (ISO or CISO) are involved.
This goes without saying, but it often gets overlooked or delayed. Your organization needs to do a review of your coverage areas and where the gaps are. Understand limits and exclusions and discuss how those gaps would affect specific cyber scenarios. Make sure your incident response team understands how the coverage is triggered and who is authorized to do so.
Consistent with the rest of your information security program, this isn't a one-and-done event. You should be utilizing items 1-4 once a year to properly manage your coverage.
BTW, the PDF of the FIL can be found here:
https://www.fdic.gov/news/news/financial/2018/fil18016a.pdf
If you are looking for help with review of your current cyber insurance policy let us know at support@bedelsecurity.com