Why it matters

Reflecting the continued regulatory focus on cyber risks, Deputy Secretary of the Treasury Sarah Raskin has some advice for banks: buy cyber insurance. Speaking at the Texas Bankers’ Association Executive Leadership Cybersecurity Conference, Raskin said the lesson from recent high-profile data breaches (including JPMorgan Chase’s 83 million hacked records) should be consideration of cyber risk insurance. In addition to the financial recovery the insurance can provide, the underwriting process itself can help financial institutions more adequately assess their risk level and cybersecurity controls, she said. “Ideally, we can imagine the growth of the cyber insurance market as a mechanism that bolsters cyber hygiene for banks across the board,” Raskin told attendees. “We have learned from these attacks that the prevalence of cyberrisk creates a persistent and complex challenge for financial institutions spanning the sector, including financial institutions of all types and all sizes.”

Detailed discussion

Focusing her remarks on the cybersecurity of the nation’s banks, Raskin first explained the mission of the U.S. Department of the Treasury: “Our ultimate goal is to instill confidence and show that the government – working in appropriate collaboration with the private sector – is defending the American public from damage caused by cyber attacks.”

To that end, Raskin provided a checklist with ten questions for CEOs, with concrete steps for banks to take before an attack occurs. The road map began with some baseline protections intended to prevent penetration of networks and systems as well as limit damage in the event of unauthorized access.

Bank leadership should ask whether cyber risk is part of the bank’s current risk management framework, whether the bank follows the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity, and whether the bank is aware of the cyber risks it is exposed to by vendors and third-party service providers, the Deputy Secretary said.

The fourth question relating to baseline protections: “Do we have cyber insurance? And if we do, what does it cover and exclude? Is our coverage adequate based on our cyber risk exposure?” Raskin noted that while the cyber insurance market is relatively new, it is growing, with more than 50 carriers now offering some type of cyber insurance coverage for organizations ranging from small institutions to Fortune 500 companies.

“Cyber insurance cannot protect your institutions from a cyber incident any more than flood insurance can save your house from a storm surge or D&O insurance can prevent a lawsuit,” she explained. “But what cyber risk insurance can do is provide some measure of financial support in case of a data breach or cyber incident. And, significantly, cyber risk insurance and the associated underwriting processes can also help bolster your other cybersecurity controls. Qualifying for cyber risk insurance can provide useful information for assessing your bank’s risk level and identifying cybersecurity tools and best practices that you might be lacking.”

Raskin also discussed the need to engage in basic cyber hygiene (knowing all of the devices connected to the networks, for example, or patching software on a timely basis) as well as the importance of information sharing, highlighting recent recommendations from the Federal Financial Institutions Examination Council.

For the final category of questions, response and recovery, the Deputy Secretary advised bank CEOs to query whether a cyber incident playbook and point person are in place should an attack occur and what roles senior management and the board play in managing and overseeing the cyber incident response. The logistics of engaging with law enforcement after a breach as well as when and how to inform customers, investors, and the general public in the wake of an incident should also be considered, with transparency as a key factor.

To read Deputy Secretary Raskin’s remarks, click here.