The Federal Financial Institutions Examination Council (the "FFIEC") advised financial institutions to consider incorporating cyber insurance into their broader defense against cyber threats. In a joint statement, the FFIEC encouraged institutions to review their risk management programs in light of the increasing number and sophistication of cyber-attacks.
According to the joint statement, institutions that are weighing the costs and benefits of adding cyber insurance to their risk management programs may want to consider (i) including multiple stakeholders in the decision, (ii) conducting proper due diligence, and (iii) reviewing cyber insurance in an annual insurance review and budgeting process.
Commentary / Joseph V. Moreno
While not required by regulators, cyber insurance can be an important component of a financial institution's risk management program so long as close attention is paid to the fine print. The application process for a new cyber policy can be extremely detailed and technology-specific, and the information disclosed up front about a firm's cyber practices and risk profile can be used as the basis to withhold coverage later if deemed not to have been entirely accurate. The effective date for a new policy typically will not cover losses...