The Federal Financial Institutions Examination Council (the "FFIEC") advised financial institutions to consider incorporating cyber insurance into their broader defense against cyber threats. In a joint statement, the FFIEC encouraged institutions to review their risk management programs in light of the increasing number and sophistication of cyber-attacks.

According to the joint statement, institutions that are weighing the costs and benefits of adding cyber insurance to their risk management programs may want to consider (i) including multiple stakeholders in the decision, (ii) conducting proper due diligence, and (iii) reviewing cyber insurance in an annual insurance review and budgeting process.

Commentary / Joseph V. Moreno

While not required by regulators, cyber insurance can be an important component of a financial institution's risk management program so long as close attention is paid to the fine print. The application process for a new cyber policy can be extremely detailed and technology-specific, and the information disclosed up front about a firm's cyber practices and risk profile can be used as the basis to withhold coverage later if deemed not to have been entirely accurate. The effective date for a new policy typically will not cover losses stemming from cyber incidents happening prior to a retroactive date unless specifically negotiated. In addition, many firms have been caught by surprise when they find out their high-dollar policies often contain smaller caps for various types of losses or expenses, or even outright refusal to cover certain items such as the payment of ransom to a ransomware attacker, losses stemming from third-party vendor breaches, or the retention of counsel to respond to government investigations. Firms that have or are considering cyber insurance must educate themselves on how a policy will co-exist with their existing property and liability coverage and exactly what it will – and will not – cover. The devil is truly in the details, and a poorly customized and negotiated cyber policy may provide nothing more than a false sense of (cyber) security.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.