The Federal Financial Institutions Examination Council (FFIEC) recently released a Joint Statement entitled Cyber Insurance and Its Potential Role in Risk Management Programs, highlighting the importance of cyber insurance and providing some considerations for how to best understand your financial institution’s insurance needs, evaluate providers, and understand different coverage levels. While cyber insurance is not required by regulatory agencies, it is an area that your management team and board of directors should pay attention to.
Cyber threats continue to multiply and evolve at an increasingly rapid pace, and if you haven’t felt their impact first hand, chances are you will at some point. The best security strategies, plans, systems, and devices are often not enough to match the sheer volume of malicious content and exploits circulating the Internet, even if you haven’t been singled out as a target. Cyber insurance is designed to help businesses mitigate this risk exposure by offsetting costs related to recovery after a data breach, ransomware compromise, denial-of-service attack, or similar event. To maximize the impact and benefits of cyber insurance coverage, you must understand your cyber risk exposure and select the insurance coverage that best addresses your institution’s risks and needs.
What’s the Risk?
The first step in this process is understanding your cyber risk. After all, insurance coverage is not a substitute for sound risk management practices.
Most financial institutions have a layered cybersecurity approach, focusing on policies, procedures, and technology. Employees are trained on information security, cyber scams, and incident response, and mature solutions such as firewalls, network segmentation, data encryption, intrusion protection systems (IPS), data loss prevention (DLP), and security incident and event management (SIEM) are deployed.
It is easy to think of technology and information security when discussing cyber risks, but cyber incidents may have a financial, operational, legal, compliance, and reputation impact too. The true impact is hard to measure ahead of time, especially for data, systems, and content outside your control or knowledge, but social engineering tests, internal/perimeter vulnerability assessments, and external penetration tests (EPTs) go a long way in identifying internal and external risks. In addition, monitoring and evaluating your website/domain security, social media presence, targeted hacktivism, and brand reputation could provide valuable insight on risks unknown to the institution. For more information, see the Cyber Risk Scorecard below or visit www.wipfli.com/cybersecurity.
Based on the potential impacts of cyber incidents, it is important that risk identification, assessment, and mitigation be a collective effort by key areas and personnel in your institution. Third parties are also part of this effort, assisting with risk identification within and outside the institution and also providing assurances of risk mitigating efforts (including insurance coverage) related to the products and services they provide, as well as their environment.
One Size Does Not Fit All
Once you have a clear understanding of your institution’s cyber risks, the next steps are understanding what your insurance coverage options are and selecting the one that best fits your needs. Unfortunately, that is easier said than done.
While general liability insurance coverage tends to be more standardized, cyber insurance coverage can vary drastically among insurers. Even when the terminology used is the same, chances are it doesn’t mean the same. Here are some questions you should consider to ensure your institution and insurer are on the same page:
- What cyber incidents are covered?
- Does coverage include incidents within the institution’s environment only, or does it extend to third parties? For example, if your customer data is compromised, does it matter whether your core is hosted in-house or outsourced?
- Does the policy cover general cyber attacks to which your institution falls victim to, or only those targeting the institution?
- Does the policy cover malicious and accidental actions taken by an employee?
- Does the policy cover social engineering (phishing, spear phishing) as well as network attacks?
- Are corporate-issued and employee-owned mobile devices covered in data breach incidents?
- Are there specific cyber incident requirements, such as the use of an approved forensics vendor, notification time frames, evidence preservation steps, etc.?
- What assistance does the insurer provide in the event of a cyber incident (initial coverage checklists, concierge/coaching services, documentation assistance, customer/law enforcement notification, regulator notification, forensic services)?
Note that many insurers calculate coverage and premiums based not only on the type of coverage and the institution’s size and revenue, but also on the institution’s demonstrable security measures and risk mitigation. In other words, a sound risk management program could translate into actual cost savings.
Round Peg in a Square Hole
If your institution’s incident response procedures don’t align with cyber insurance requirements, the results could be catastrophic.
Whether or not you take advantage of concierge or coaching services offered by the insurer, it is imperative that requirements for reporting incidents, preserving evidence, and performing forensic analysis are followed, lest the insurer deny the claim for failure to comply with such requirements.
Wash, Rinse, Repeat
Now that you’ve identified your institution’s risks, evaluated and selected the right cyber insurance coverage, and aligned your incident response policy and procedures with the insurer’s requirements, there’s nothing else to do…except to do it all over again!
Cyber insurance reviews should be part of your institution’s annual strategic planning and budgeting process. Risk assessments are performed at least annually to address changes in the cyber risk landscape and your institution’s overall environment. Likewise, cyber insurance coverage should be evaluated annually to ensure it addresses your institution’s ever-changing cyber risks and your efforts to mitigate them.