Welcome » IT Booklets » Information Security » Security Controls Implementation » Insurance
Financial institutions should carefully evaluate the extent and availability of coverage in relation to the specific risks they are seeking to mitigate.
Financial institutions use insurance coverage as an effective method to transfer risks from themselves to insurance carriers. Coverage is increasingly available to cover risks from security breaches or denial of service attacks. Several insurance companies offer e-commerce insurance packages that can reimburse financial institutions for losses from fraud, privacy breaches, system downtime, or incident response. When evaluating the need for insurance to cover information security threats, financial institutions should understand the following points:
Insurance coverage is rapidly evolving to meet the growing number of security-related threats. Coverage varies by insurance company, but currently available insurance products may include coverage for the following risks:
Financial institutions can attempt to insure against these risks through existing blanket bond insurance coverage added on to existing policies in order to address specific threats. It is important that financial institutions understand the extent of coverage and the requirements governing the reimbursement of claims. For example, financial institutions should understand the extent of coverage available in the event of security breaches at a third-party service provider. In such a case, the institution may want to consider contractual requirements that require service providers to maintain adequate insurance to cover security incidents.
When considering supplemental insurance coverage for security incidents, the institution should assess the specific threats in light of the impact these incidents will have on its financial, operational, and reputation risk profiles. Obviously, when a financial institution contracts for additional coverage, it should ensure that it is aware of and prepared to comply with any required security controls both at inception of the coverage and over the term of the policy.