Commission, committees and councils. In the last few weeks, there’s been no shortage of government regulators and legislators chiming in on cybersecurity measures. Shortly after the recent Securities and Exchange Commission (SEC) guidance and a hearing by the House Financial Services Committee (see my colleague’s blog), the Federal Financial Institution Examination Council (FFIEC) released a joint statement on cyber insurance, providing helpful tips for institutions on how to evaluate different policies and potential gaps in current coverage.
Why are banking regulators focused on cyber insurance right now?
Government agencies and regulators have good reason for focusing on cyber insurance, given continuing escalation of cyber attacks such as ransomware, data breaches and the all-too-common distributed denial of service attacks that continue to plague our financial institutions. While rarely catastrophic, these events create both direct and indirect costs to banks. In a recent study we conducted with Ponemon Institute, we found that the number of ransomware attacks doubled in the last year, taking about 23 days to resolve and costing institutions millions of dollars.
Smaller organizations experience a higher proportion of cyber crime costs relating to malware, web-based attacks, phishing and other social engineering attacks, and stolen devices. Part of what FFIEC members are highlighting is that general liability and business interruption insurance policies don’t always provide sufficient coverage for all potential exposures caused by such cyber events. Evaluating and comparing policies and offerings might be a good idea, particularly for smaller institutions.
So what can cyber insurance do to help banks?
At a minimum, cyber insurance can provide two important benefits.
But there’s more to this than just helping individual banks. Expanding the cyber insurance market could also provide benefits beyond those received by insured banks. For example, larger volumes of actuarial data about breaches could improve underwriting.
That said, there is much that cyber insurance can’t do. It doesn’t actually fix the holes in the processes or technology that assessments identify. For example, it doesn’t make bank employees any less likely to click on phishing emails. It also doesn’t stop or deter bad guys from attacking, and the insurance won’t help repair an institution’s reputation once customers are notified that their personal information may have been compromised.
So, all told, while cyber insurance has benefits, it is only one tool in the overall risk mitigation tool box. Given that smaller institutions are at a disadvantage when it comes to having the resources to thwart sophisticated attacks, it might also be helpful for smaller banks with limited resources to focus on three control areas that can provide some of the biggest bang for their buck against cyber criminals:
And don’t forget: You should expect that these types of activities do not stop at a bank’s walls (or firewalls) but rather extend to bank’s third parties.
In the end, the FFIEC members’ joint statement may help further spark the developing cyber insurance market, but it won’t be fast enough in the race against ever-increasing cyber threat adversaries. So, if you are contemplating cyber insurance for your bank, first ask yourself, are you sufficiently resourcing the controls that bad guys most often target and do you have confidence in the bank’s ability to respond and recover if they are compromised? After you feel more prepared, then maybe add cyber insurance.
Important note: The content in this blog is general in nature. It is not, and is not intended to be relied on as, advice. It should not replace the expertise of qualified professionals, and readers should seek advice specific to their organization’s needs, which may vary and require unique action.