Federal Regulatory Agencies Advise on Cyber Insurance for Information Security Programs

Federal regulatory agencies, acting through the Federal Financial Institutions Examination Council (FFIEC), have issued guidance for financial institutions about the role of cyber insurance in risk management of information technology systems. See, e.g., FDIC FIL-16-2018 (April 10, 2018); OCC Bulletin 2018-8 (April 11, 2018). The agencies—principally responsible for supervising banks, savings associations, and credit unions—adopted a “joint statement,” entitled Cyber Insurance and Its Potential Role in Risk Management Programs, that does not establish “any new regulatory expectations.” Instead, the guidance for cyber insurance addresses several practical aspects that a financial institution should consider when assessing the potential uses of cyber insurance and reinforces key elements of the institution’s overall information security program.

Key takeaways from the guidance:

• Cyber insurance is not required.
• If a financial institution considers obtaining cyber insurance, the institution’s assessment “should include an analysis of the institution’s existing cybersecurity and IT risk management programs to evaluate the potential financial impact of residual risk.”
• Cyber insurance, if carried, must be managed. A financial institution is advised to evaluate and track key elements of the insurance arrangement, including:
  • The “insurance policy terms, coverage, exclusions, and costs for cyber events;”
  • Events that trigger coverage and conditions that could give rise to exclusions; and
  • Financial strength and claims paying history of the insurer, particularly in light of the possibility that multiple policy holders might file claims during the same period.
• The financial institution regulators have worked, including through the FFIEC, to establish safety and soundness standards that a financial institution must meet when maintaining its information systems, and the guidance on cyber insurance reiterates core aspects of existing law.
  • For nearly two decades, the law has required a financial institution to implement and maintain a risk-based information security program to designed to protect the security, confidentiality, and integrity of “customer information.” See, g., 12 C.F.R. pt. 208, app. D-2 (Interagency Guidelines Establishing Information Security Standards, as adopted by the Board of Governors of the Federal Reserve System). Longstanding policy under the Interagency Guidelines has held that “[i]nsurance coverage is not a substitute for an information security program.” See, e.g., OCC, Small Entity Compliance Guide, at 10 (Dec. 2005).
  • The guidance emphasizes that “[p]urchasing cyber insurance does not remove the need for a sound control environment,” and “[a]n effective system of controls remains the primary defense against cyber threats.”