Joint Statement on Cyber Insurance and its Potential Role in Risk Management Programs


The members of the Federal Financial Institution Examination Council (FFIEC) issued a joint statement which provides topics to credit unions to consider when they are determining whether to use cyber insurance as a component of their risk management program.

The regulators do not require credit unions to maintain cyber insurance. But, the increasing number and sophistication of cyber incidents impact financial institutions of all sizes, and remediation of cyber incidents can be costly. This prompts financial institutions to consider whether cyber insurance would be an effective part of their overall risk management programs.

The joint statement notes that cyberattacks are increasing in volume and sophistication and that traditional general liability insurance policies may not provide effective coverage for all potential exposures caused by cyber events. Cyber insurance could offset financial losses from a variety of exposures—including data breaches resulting in the loss of confidential information—that may not be covered by more traditional insurance policies. Financial institution management should assess the scope of coverage of current insurance and consider how cyber insurance may fit into the institution’s overall risk management framework.

As with any insurance coverage, cyber insurance does not diminish the importance of a sound control environment. Rather, cyber insurance may be a component of a broader risk management strategy that includes identifying, measuring, mitigating, and monitoring cyber risk exposure.

NWCUA member credit unions can find additional information and considerations in the cybersecurity resource center.

Question of the Week

What is FinCEN’s 314(b) program?

The 314(b) program allows financial institutions to share information with one another, under a safe harbor, to help better identify and report potential money laundering or terrorist activities.

This program is voluntary and credit unions should make sure that they are properly registered (if they choose to participate) and that they are sharing information only with other 314(b) registered financial institutions. If you are registered as a 314(b) information sharing institution, you should receive an email with a link to the most up to date list of other participants.


Legal Briefs

National Credit Union Administration (NCUA)

The NCUA announced that it will host a webinar to help credit unions understand the requirements for the Ongoing Customer Due Diligence Rule. Credit unions can register here for the webinar, which will be held at 2 p.m. Eastern on Wednesday, April 25, 2018.

Consumer Financial Protection Bureau (CFPB)

Acting CFPB Director Mick Mulvaney delivered testimony to the House Committee on Financial Services regarding the CFPB’s semiannual report to Congress.

The CFPB has issued a Request for Information regarding how it handles consumer complaints and inquiries.

Acting CFPB Director Muck Mulvaney delivered testimony to the Senate Committee on Banking, Housing and Urban Affairs regarding the CFPB’s semiannual report to Congress.

Federal Reserve Board (FRB)

The FRB announced that it is seeking comment on a proposal to simply its capital rules for large banks.

The statement and minutes of the March 20-21, 2018 Federal Open Market Committee meeting are now available.

Federal Trade Commission (FTC)

The FTC released its report of Annual Highlights for 2017.

The FTC announced the launch of a national cyber campaign to help small businesses strengthen their cyber defenses.

Federal Financial Institutions Examination Council (FFIEC)

The FFIEC issued a joint statement on Cyber Insurance its Potential Role in Risk Management Programs. The guidance reminds institutions that cyber insurance is not a replacement for a strong and sound control environment. The guidance also provides considerations that institutions should take into account when weighing the costs and benefits of cyber insurance.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of April 6, 2018. The last update prior to this was April 3, 2018.

Questions? Contact the Compliance Hotline: 1.800.546.4465,

Posted in Compliance News.