Will Banks Be Required to Have Cyber-Insurance?
Sizing Up What FFIEC Guidance Might IncludeIn addition to a focus on C-level cybersecurity awareness and mitigation strategies aimed at third-party risks, it now seems likely that the new cybersecurity guidance expected from federal banking regulators in 2015 also will include recommendations for investments in cyber-insurance.
See Also: The Guide to Consumer vs. Employee Privacy Rights
On Dec. 10, the New York State Department of Financial Services notified New York banking institutions of expanded IT examination procedures that immediately take effect. In the state department's list of expectations, it specifically notes that state banking regulators will expect to see policies related to cybersecurity insurance - coverage that provides protection in the wake of a breach not only for the bank, but also the third parties with which the bank works.
The move by one of the nation's largest states could foreshadow federal expectations for banking institutions to be included by the Federal Financial Institutions Examination Council in its anticipated cybersecurity guidance. (see FFIEC to Update Cybersecurity Guidance)
Just days earlier, during an executive leadership cybersecurity conference hosted by the Texas Bankers Association,Sarah Bloom Raskin, deputy Treasury secretary, highlighted why banking institutions must invest in cyber-insurance, another sign that the guidance likely will address the issue.
"Cyber-insurance cannot protect your institutions from a cyber-incident any more than flood insurance can save your house from a storm surge or D&O [directors and officers liability] insurance can prevent a lawsuit," she said during the Dec. 3 conference. "But what cyber-risk insurance can do is provide some measure of financial support in case of a data breach or cyber-incident. And, significantly, cyber-risk insurance and the associated underwriting processes can also help bolster your other cybersecurity controls. Qualifying for cyber-risk insurance can provide useful information for assessing your bank's risk level and identifying cybersecurity tools and best practices that you may be lacking."
Cyber Insurance Expectations
Cyber-attacks, such as the hacking of JPMorgan Chase, are raising concerns about security and highlighting the need for cyber-insurance (see New JPMorgan Chase Breach Details Emerge).
As a result, there's little doubt that cyber-insurance will be a requirement that the FFIEC includes its forthcoming cyber guidance, says financial fraud expert Avivah Litan, a Gartner analyst.
"Cyber-insurance helped Target and Home Depot lower their breach-related costs substantially, and, thus, converted market participants from former skeptics to current believers in cyber-insurance policies," she says.
More Support for Info Sharing
In addition to highlighting the need for cyber-insurance, the upcoming federal cybersecurity guidance coming next year is widely expected to emphasize the need to ramp up cyberthreat information.
But banking institutions need more support from government to develop best practices for sharing cyberthreat intelligence that doesn't compromise consumer or corporate privacy, Brian Peretti, director of the Treasury's Office of Critical Infrastructure Protection and Compliance Policy, testified in a Dec. 10 Senate hearing.
"The federal government can play a unique role in working with industry to support the use and development of standards, guidelines and best practices on cybersecurity, ensuring that these practices are up-to-date and enable technical innovation," Peretti testified.
Congressional Action Could Spur Change
New cybersecurity legislation that awaits President Obama's signature could play a role in easing information sharing.
Congress approved earlier this week the National Cybersecurity Protection Act that would codify the existing cybersecurity and communications operations center at the Department of Homeland Security known as the National Cybersecurity and Communications Integration Center. The center serves as a federal civilian information sharing interface for cybersecurity.
The legislation would authorize the center's current activities to share cybersecurity information and analysis with the private sector, provide incident response and technical assistance to companies and federal agencies and recommend security measures to enhance cybersecurity.
"One of the best ways that we can defend against cyber-attacks is to encourage the government and private sector to work together and share information about the threats we face," says the bill's co-sponsor Tom Coburn, R-Okla., ranking member of the Homeland Security and Governmental Affairs Committee. "By codifying DHS's cybersecurity information sharing center, this bill sets the stage for future legislation for cybersecurity information sharing that includes liability protections for the private sector."
In a Dec. 5 blog, Gartner's Litan stresses the need for more government-backed cyber-intelligence sharing and argues that government should do more to help banking institutions ward off emerging cyberthreats, which often are state-sponsored.
"It's unrealistic to expect banks to adequately defend their institutions from the full force of a state-sponsored attack," she says. "Banks need help from U.S. intelligence agencies that have extensive experience fighting these state-sponsored attacks against the U.S. military establishment."