The Federal Financial Institutions Examination Council warnedcredit unions and other financial institutions to think carefullyabout cyber insurance, according to a statement from the regulatortoday.

The regulator said that as more and more data breaches and securityincidents make headlines, credit unions and other financialinstitutions should gather the right people, do the right researchand make enough room in the budget if they're going to buy cyberinsurance, which typically protects against claims from members,partners or venders as a result of a data breach or other cyberincident at a financial institution.

“The FFIEC members do not require financial institutions tomaintain cyber insurance. The evolving cyber insurance market andthe shifting cyber threat landscape may, however, prompt financialinstitutions to consider whether cyber insurance would be aneffective part of their overall risk management programs,” itsaid.

The FFIEC also noted that cyber insurance coverage options varygreatly and might come as stand-alone policies or live in parts ofother coverage, such as general liability, business interruption,errors and omissions or other policies. Understanding the scope ofcoverage is critical, it cautioned.

“The increasing number and sophistication of cyber incidentsaffect financial institutions of all sizes, and remediation ofcyber incidents can be costly. Traditional insurance policies forgeneral liability or basic business interruption coverage may notfully cover cyber risk exposures without special endorsement or byexclusion not cover them at all. Coverage may also be limited andnot cover incidents caused by or tracked to outside vendors,” itsaid. “Cyber insurance may offset financial losses from a varietyof exposures, such as data breaches resulting in the loss ofsensitive customer information.”

Credit unions and other financial institutions consideringbuying cyber insurance should do three things, the FFIECwarned.

• First, they should involve multiple stakeholders and all theappropriate departments in the institution to determine whetherinternal controls address cyber risk vulnerabilities. They shouldalso work together during the cyber insurance decision-makingprocess, the FFIEC said.
• Second, credit unions and other financial institutions shoulddo the right homework on cyber insurance coverage. Among otherthings, they should look for coverage gaps, know the deductiblesand coverage terms, know what kinds of events trigger coverage,check on the financial strength of the insurer and know what theinstitution needs to do to comply with each policy'srisk-management and control requirements, the FFIEC said.
• Third, the FFIEC said credit unions and other financialinstitutions should weigh the costs and benefits of cyber insuranceduring their annual insurance reviews and budgeting processes. Thatincludes making sure there's enough coverage, confirming what'scovered and making sure the board is engaged.

The FFIEC also warned credit unions and other financialinstitutions not to get lazy if they do buy cyber insurance.

“As with any insurance coverage, cyber insurance does notdiminish the importance of a sound control environment. Rather,cyber insurance may be a component of a broader risk managementstrategy that includes identifying, measuring, mitigating, andmonitoring cyber risk exposure,” it said.

The FFIEC prescribes uniform principles, standards, and reportforms for the federal examination of financial institutions. Itsmembers include the NCUA, CFPB, FDIC, Federal Reserve and OCC.