If you think you are being overly paranoid about the recent cyber attacks on Sony, JP Morgan, and Target, think again. You aren’t the only one that has been paying attention – hackers are also front-and-center on the minds of the United States Treasury. During a conference of the Texas Bankers’ Association last week, Sarah Raskin, the Deputy Treasury Secretary, urged banks and other financial institutions to consider purchasing cyber insurance in response to the latest round of data hacking.
Although it is undoubtedly sound advice, it seems a bit strange that the United States Treasury is pitching products for the insurance industry. The reason appears to be the Treasury’s belief that this developing product will operate to increase cyber defenses industry wide. Ms. Raskin told the group of bankers “Ideally, we can imagine the growth of the cyber insurance market as a mechanism that bolsters cyberhygiene for banks across the board.” Perhaps. As coverage practitioners, we agree that cyber insurance is a great risk mitigation tool, and fast becoming a necessity. But there is no certainty that any company, including banks, will increase their collective defenses when their financial risk has been lessened by the purchase of insurance.
Nevertheless, Ms. Raskin’s message corroborates what we all know now: no company can feel safe from cyber threats. Ms. Raskin specifically referenced three well-publicized attacks in suggesting that “the prevalence of cyberrisk creates a persistent and complex challenge for financial institutions,” but those are three of just dozens of similar attacks publicized over the last few months. With hackers penetrating the defenses of the Sonys and Targets of the world, banks and other financial institutions need to be concerned because they possess not only their customers’ personal financial information, but their actual bank account information.
It would be great if you could simply rely on your current insurance policies, but inconsistent judicial opinions and the increasing prevalence of exclusions for data and data breaches provides no assurances that existing insurance portfolio offers you the protection you need. If you have any questions about the scope of your coverage against cyber attacks, consult with your coverage attorney.