Pub. 13 2018-2019 Issue 1

WWW.NEBANKERS.ORG 20 First-Party Versus Third-Party Insurance Cyber insurance coverage is usually structured one of two ways, first party or third party. It is important to understand this and know which type of coverage is right for you, or if you need both types of coverage. First-party insurance protects against direct expenses incurred by the insured party, usually covering costs such as customer notification, event management, business interruption, and cyber extortion. Third-party insurance usually protects against claimsmade by the insured customers, partners, or vendors as a result of a cyber incident at your institution. Cyber Insurance Coverage Due Diligence The following considerations may be helpful when evaluating cyber insurance as a potential risk mitigation measure: • Include appropriate departments and key personnel across the institution. • Consider engaging outside advisors as needed. • Review the scope of existing and proposed insurance coverage to identify gaps. • Research to understand insurance terms, coverage, exclusions, costs, benefits, etc. • Cyber insurance is relatively new, and therefore, policy terms and language may not be standardized and cover- age will likely be very different across providers. • Examine providers, including financial strength (rat- ings), claim history, cyber history, etc. • Determine what types of cyber events are covered and what incidents might be excluded. • Understand insurance limits, deductibles, and any noti- fication requirements that may apply. • Ensure control requirements (employee training, poli- cies, logical access controls, technologies, etc.) defined in the policy are being followed by the institution. • Include details of cyber insurance in your incident re- sponse plan and ensure key personnel are familiar with the plan. • Assess the benefits of the cyber insurance policy relative to the cost. • Avoid substituting insurance coverage in the place of sound operational risk management. • Cyber insurance continues to evolve; therefore, imple- ment an annual insurance review. Additional Resources While cyber insurance may not be the answer for all insti- tutions, it can be a valuable mitigation control as a part of an overall risk management plan. Below are additional resources you might find helpful related to cyber insurance: • FFIEC Joint Statement - https://www.ncua.gov/news- room/Pages/news-2018-april-ffiec-joint-statement.aspx • Homeland Security, Cybersecurity Insurance - https:// www.dhs.gov/cybersecurity-insurance • Homeland Security, Cyber Incident Data - https://www. dhs.gov/publication/cyber-incident-data-and-analysis- working-group-white-papers • FFIEC InfoBase Management Booklet, Insurance - https://ithandbook.ffiec.gov/it-booklets/management/ iii-it-risk-management/iiic-risk-mitigation/iiic7-insur- ance.aspx • FFIEC Cybersecurity Assessment Tool - https://www. ffiec.gov/cyberassessmenttool.htm  Russ Horn is the president of CoNetrix, a provider of information technology consulting, IT/GLBA audits and security testing, Aspire IT hosting, and the developer of Tandem, a security and compliance software suite designed to help financial institutions create and maintain their Information Security Programs. Visit CoNetrix at www.CoNetrix.com . Cyber insurance is designed to mitigate losses from a data breach involving sensitive customer information; however, some coverage may also include other cybercrime such as business interruptions or network damage. Cyber insurance varies greatly in coverage and enrollment. Tech Talk — continued from page 19