Cyber Insurance: FFIEC Guidance and the Role in Risk Management
Cyber Insurance: FFIEC Guidance and the Role in Risk Management
The Federal Financial Institutions Examination Council (FFIEC) issued guidance for financial institutions to consider if they are determining whether to use insurance as a component of their risk management programs. Cyber-attacks continue to remain a constant and are growing on a day to day basis. This is evident based on recent attacks to Delta, Best Buy, Atlanta’s government, and many more. When evaluating risk mitigation techniques, cyber insurance policies are a more common way to offset financial losses. Historically, the typical insurance policies maintained by institutions did not provide coverages in response to cyber related attacks and a separate policy was required. While insurance coverage in today’s environment is a key component in an enterprise risk management program, it shouldn’t reduce or be used as a replacement for a strong control environment.
A strong control environment and employee awareness are the best components to protect against these unwarranted threats with insurance coverage as a secondary level control. Unfortunately, the mindset of management needs not be if we suffer a breach, but when we have a breach. For additional information related to the guidance on cyber insurance, refer to the FFIEC ‘s release on Cyber Insurance and Its Potential Role in Risk Management Programs at: https://www.ffiec.gov/press/pdf/FFIEC%20Joint%20Statement%20Cyber%20Insurance%20FINAL.pdf
For additional information contact Jeff Johns at jjohns@fosaudit.com.
Cyber Insurance: FFIEC Guidance and the Role in Risk Management | Jeffrey J. Johns