Officials across a range of federal regulatory agencies have made it clear that promoting cyber security is an increasing priority. A critical part of the federal officials’ message has been the message that cyber security should be a corporate governance priority for company executives and corporate boards. For example, in a June 2014 speech, SEC Commission Luis Aguilar highlighted the cyber security oversight responsibilities of corporate boards. Nor are the regulators’ efforts in this regard limited to speech-making; the Federal Trade Commission’s recent action against Wyndham Worldwide related to cyber breaches the company experienced underscores that these regulatory concerns may translate into enforcement action.
Deputy Treasury Secretary Sarah Raskin, the second-ranking official at the agency, in a December 3, 2014 speech to the Texas Bankers’ Association (here), reiterated many of these same messages. In her speech, Raskin, who previously served as a member of the Federal Reserve Board, presents ten questions that that company executives and corporate boards should be asking with respect to cybersecurity concerns. Her speech, which is addressed in particular to the cyber security oversight issues that banking institutions face in the current environment, provides a particularly good overview of the topic.
The ten questions that Raking poses are organized into three categories of activities: (1) baseline protections; (2) information sharing; and (3) response and recovery.
Of particular interest to readers of this blog is one of the questions that Raskin posed within the first category of baseline protections. Among the questions that she asks is what amounts to a ringing endorsement for companies to adopt cyber risk insurance.
Her fourth question overall in her list of ten questions suggests that senior officials at banking institutions should be asking “Do we have cyber insurance? And if we do, what does it cover and exclude?” She adds that officials should also be asking “Is our coverage adequate based on our cyber risk exposure?”
Raskin’s comments include the observation that though the market for cyber insurance is relatively new, it is growing. She notes that more than fifty carriers now offer some type of cyber insurance, and that cyber insurance products now exist for companies of all sizes. She also noted that “policyholders can now find coverage to match a broad array of cyber risks ranging from liability and costs associated with data breaches to business interruption losses and even tangible property damage caused by cyber events.”
Raskin noted that while cyber insurance cannot protect institutions from cyber incidents, it “can provide some measure of financial support in case of a data breach or cyber incident.” She also observed that the underwriting processes for cyber insurance can “help bolster your cybersecurity controls,” because “qualifying for cyber risk insurance can provide useful information for assessing your bank’s risk level and identifying cybersecurity tools and best practices that you may be lacking.”
Raskin also notes that officials at the Treasury department have been thinking about how to “encourage an environment where market forces create insurance products that enhance cybersecurity for businesses,” noting that “we can imagine the growth of a cyber insurance market as a mechanism that bolsters cyber hygiene for banks across the board.” (Raskin defines “cyber hygiene” as the engagement in “fundamental practices to bolster the security and resilience of your networks and systems.”)
Raskin is far from the first governmental official to suggest that cyber risk insurance should be an important part of companies’ efforts to try to address their cybersecurity exposures. For example, in its October 2011 release provide guidance on cyber risk disclosures (here), the SEC specifically noted that among the things that companies should be disclosing with respect to the company’s cyber risk exposures is a “description of relevant insurance coverage.”
While in many respects Raskin’s speech represents a reiteration of messages that other agencies and corporate officials have already made, it is nevertheless a very good summary of the responsibilities of corporate officials with respect to cybersecurity issues. Among other things, her speech emphasizes the fact that the adoption of appropriate cyber risk insurance should be a key part of companies’ response to the growing risk of cyber security exposures.
One final observation about Raskin’s speech is to note her emphasis that cybersecurity risk is a problem not just for the largest companies and financial institutions. It is not just a problem for “the other guy,” it is a problem for all companies. She states at the outset of her speech, which is focused on financial institutions, that the threat of a cyber breach “creates a persistent and complex challenge for financial institutions spanning the sector, including financial institutions of all types and sizes.”
A December 5, 2014 Law 360 article about Raskin’s speech can be found here (subscription required).