The institution may rely on insurance policies as part of a mitigation strategy. Traditional business insurance policies include coverage for errors and omissions, commercial general liability, and directors' and officers' liability policies. Management should understand the institution's insurance needs and the limitations of insurance coverage. These policies generally exclude, or may not include, liability for all areas of IT operations and cybersecurity.
In establishing an insurance program, management should recognize its exposure to loss, the extent to which insurance is available to cover potential losses related to information assets and technology, and the cost of such insurance. The insurance program should be commensurate with the size, complexity, and risk of the institution. Management should weigh these factors to determine how much risk the institution assumes directly. In assessing the extent of that residual risk, the institution should analyze the potential effect of an uninsured loss on itself and any affiliates or parent companies. Management should consider seeking the help of insurance consultants, attorneys, and other professionals, as necessary, to fully identify and measure the risk. Management should also review a company's financial condition or credit rating when deciding on an insurance company.
Management should understand that it cannot insure against all risks. Insurance complements, but does not replace, an effective system of controls. Thus, an overall appraisal of the control environment is important in assessing the adequacy of the insurance program.
Management can insure against risks covered in standard insurance policies. Insurance that covers physical disasters often specifically excludes computer hardware and software. To the extent that policies cover physical storage media, they generally omit the extra cost of reconstructing the recorded information found on the media. Management should clearly understand what is covered and document any gaps in coverage.
Before purchasing insurance, management should assess the costs of obtaining insurance. Estimates of these costs enable management to choose the types and amounts of insurance to carry. These estimates also allow management to determine to what extent the institution may choose to self-insure against certain losses.
Insurance policies provide a variety of coverage for events that could affect an institution's IT. The policies can be adapted to a particular institution's IT environment. The evolving threat environment is contributing to increasing interest in and purchase of insurance related to cyber risks. Insurance companies can provide coverage for items including the cost of conducting an investigation into a breach, notifying customers, reputational and crisis management, business interruption, credit monitoring for affected customers, and legal costs. Management should exercise appropriate due diligence in the review of such policies, including policy exclusions to ensure the coverage aligns with management's goals.
As part of the decision to purchase insurance, management should consider the institution's size and complexity and the level and efficacy of controls in place to mitigate risk. Types of insurance may include the following:
- IT equipment and facilities: Damage to the information assets and technology throughout the institution. Coverage should include leased equipment if the lessee is responsible for hazard coverage.
- Media reconstruction: Damage to IT media, such as magnetic tape and disks, if the institution owns and is liable for the media. Insurance is available for on-premises, off-premises, or in-transit situations. Insurance should cover the actual replacement and reproduction cost of the media or, if reproduction is not possible, the value of the media. Additional considerations to determine the amount of coverage should include programming costs and backup expense.
- Extra expense: The extra costs of continuing operations following damage or destruction to the institution's physical location.
- E-banking activities: Loss or liability arising from electronic banking activities such as Internet banking, bill payment services, and mobile financial services.
- Business interruption: Reimbursement for monetary losses resulting from suspension of operations because of the loss, damage, or degradation of data, systems, or services.
- Valuable papers and records: Cost to restore or replace papers and records (not defined as media) in case of direct physical loss or damage.
- Errors and omissions: Protection against claims arising from negligent acts, errors, or omissions that occur in performing IT services for others. These policies can contain the following exclusions:
- Employee dishonesty.
- Libel, slander, or defamation of character.
- Liability of others assumed by the insured under contract or agreement.
- Liability of loss or damage to property of others.
- Personal or bodily injury or sickness.
- Liability arising out of advice from third parties on methods, procedures, and practices, etc.
- Liability for preparation of income tax returns.
- Loss caused intentionally by, or at the direction of, the insured.
Once management has acquired appropriate insurance coverage, it customarily establishes procedures to review and ensure the adequacy of the coverage. These procedures should include an annual program review by the board of directors.
III.C.6 IT Operations
III.C.8 Third-Party Management