The Federal Financial Institutions Examination Council (“FFIEC”) (an entity consisting of all the federal financial institution regulators and five state regulators) issued a Statement to provide awareness of the potential role of cyber insurance in a financial institutions’ risk management program. The FFIEC makes clear that a bank is not required to obtain cyber insurance and the statement “does not contain any new regulatory expectations.” Cyber insurance should only be viewed as a component of a risk management program. However, bank regulators do not spend their time and effort to issue statements just to remind banks that a certain action is not required. If cyber insurance is not part of you risk management program, now is the time to reconsider the use of cyber insurance to mitigate cyber incursions.
The Statement notes that many aspects of the cyber insurance marketplace, such as terminology, claims history, legal precedents, and risk modeling continue to evolve and are shaping the nature and scope of cyber insurance. Because the cyber insurance marketplace is evolving, coverage options vary greatly. Will it be a stand-alone policy or will…
