As I noted in a post last week, in a speech earlier this month in which she outlined the steps bank boards can take to address cybersecurity issues, Sarah Raskin, the second-ranking official at the U.S. Department of Treasury, laid out the reasons why banking institutions should be investing in cyber insurance. This speech is only one of several recent developments raising the possibility that federal banking regulators may be moving toward requiring banks to carry cyber insurance, according to Tracey Kitten’s December 12, 2014 blog post on the Bank Iinfo Security blog entitled “Will Banks Be Required to Have Cyber-Insurance?” (here).
For example, on December 10, 2014, the New York State Department of Insurance Superintendent Benjamin M. Lawsky issued an industry guidance letter to all New York State Department of Financial Services (DFS)-regulated banks outlining the specific issues and factors on which those institutions will be examined as part of the agency’s new targeted cyber security preparedness assessments. The guidance letter expressly states that the department’s cyber security examinations will include “cyber security insurance coverage and other third-party protections.” The Department’s December 10, 2014 press release about the new industry guidance can be found here. The December 10, 2014 letter sent to banks can be found here.
In her blog post, the author suggests that this move “by one of the nation’s largest states” could “foreshadow” cyber insurance requirements to be included in the anticipated cybersecurity guidance of the Federal Financial Institutions Examination Council. (As discussed here, the FFIEC is an organization of federal banking regulators and other institutions to prescribe principles for the uniform supervision of banking institutions.) On November 3, 2014, the FFIEC released the observations from the cybersecurity assessment that a number of its members participated in during the summer of 2014. Among other things, the organization’s observations included a statement that “as a result of the cybersecurity assessment, FFIEC members are reviewing and updating current guidance to align with changing cybersecurity risk.” (For more about the anticipated updated FFIEC cybersecurity guidance, refer here.)
Among other things, the blog post quotes one observer as saying, in light of the new concerns following the recent JP Morgan Chase data breach, ‘there’s little doubt that cyber-insurance will be a requirement that the FFIEC includes in its forthcoming cyber guidance.” The observer, a senior official at the Gartner consulting firm, adds the comment that “Cyber-insurance helped Target and Home Depot lower their breach-related costs substantially and, thus, converted market participants from former skeptics to current believers in the cyber-insurance policies.”
Whether or not federal regulators implement an express requirement that banking institutions have cyber insurance, it does seem increasingly likely that banking examiners will be reviewing is banking institutions’ cyber insurance program. Even if there is no express requirement, the inclusion of the item on the examination program could create a strong incentive for banking institutions to purchase the insurance.