Insurance:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Insurance Considerations

Financial institutions use insurance coverage as an effective method to transfer risks from themselves to insurance carriers. Coverage is increasingly available to cover risks from security breaches or denial of service attacks. Several insurance companies offer e-commerce insurance packages that can reimburse financial institutions for losses from fraud, privacy breaches, system downtime, or incident response.

When evaluating the need for insurance to cover information security threats, financial institutions should understand the following points:

  • Insurance is not a substitute for an effective security program.
  • Traditional fidelity bond coverage may not protect from losses related to security intrusions.
  • Availability, cost, and covered risks vary by insurance company.
  • Availability of new insurance products creates a more dynamic environment for these factors.
  • Insurance cannot adequately cover the reputation and compliance risk related to customer relationships and privacy.
  • Insurance companies typically require companies to certify that certain security practices are in place.
  • Insurance coverage is rapidly evolving to meet the growing number of security-related threats.

Coverage varies by insurance company, but currently available insurance products may include coverage for the following risks:

  • Vandalism of financial institution Web sites
  • Denial-of-service attacks
  • Loss of income
  • Computer extortion associated with threats of attack or disclosure of data
  • Theft of confidential information
  • Privacy violations
  • Litigation (breach of contract)
  • Destruction or manipulation of data (including viruses)
  • Fraudulent electronic signatures on loan agreements
  • Fraudulent instructions through e-mail
  • Third-party risk from companies responsible for security of financial institution systems or information
  • Insiders who exceed system authorization
  • Incident response costs related to the use of negotiators, public relations consultants, security and computer forensic consultants, programmers, replacement systems

Financial institutions can attempt to insure against these risks through existing blanket bond insurance coverage added on to existing policies in order to address specific threats. It is important that financial institutions understand the extent of coverage and the requirements governing the reimbursement of claims. For example, financial institutions should understand the extent of coverage available in the event of security breaches at a third-party service provider. In such a case, the institution may want to consider contractual requirements that require service providers to maintain adequate insurance to cover security incidents.

HORSE FACTS: Financial institutions should carefully evaluate the extent and availability of coverage in relation to the specific risks they are seeking to mitigate.

When considering supplemental insurance coverage for security incidents, the institution should assess the specific threats in light of the impact these incidents will have on its financial, operational, and reputation risk profiles. Obviously, when a financial institution contracts for additional coverage, it should ensure that it is aware of and prepared to comply with any required security controls both at inception of the coverage and over the term of the policy.