The Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement on April 10, 2018, which provides awareness of the potential role cyber insurance can play in a financial institution’s risk management program. The FFIEC stated that cyber insurance may offset financial losses resulting from cyber incidents, but it is not required by any of the FFIEC members.
The FFIEC is comprised of the principals of the Board of Governors of the Federal Reserve System, the Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the State Liaison Committee.
The joint statement emphasized that, while cyber insurance may be an effective tool for mitigating financial risk associated with cyber incidents, it does not remove the need for a sound control environment. Rather, cyber insurance should be a component in a financial institution’s risk management program.
The FFIEC members stated that when weighing the benefits and costs of cyber insurance, a financial institution’s considerations may include: (1) involving multiple stakeholders in the cyber insurance decision; (2) performing proper due diligence to understand available cyber insurance coverage; and (3) evaluating cyber insurance in the annual insurance review and budgeting process.
The entire statement can be found here.