Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FFIEC joint statement addresses role of cyber insurance in risk management programs

    Federal Issues

    On April 10, the Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement advising financial institutions to consider the role of cyber insurance as a component of their overall risk management programs in light of the increasing number of sophisticated cyber-attacks. While financial institutions are not required to have cyber insurance, the FFIEC stated that it can be an effective tool to help mitigate risk. However, the FFIEC emphasized that cyber insurance does not diminish the need for a sound control environment; rather, it “may be a component of a broader risk management strategy that includes identifying, measuring, mitigating and monitoring cyber risk exposure.” Additionally, cyber insurance may offset financial losses resulting from data breaches that may not be covered by traditional insurance policies. Considerations for financial institutions assessing the costs and benefits of adding cyber insurance include: (i) involving multiple stakeholders in the decision, (ii) conducting proper due diligence to understand coverage and identify any gaps; and (iii) reviewing cyber insurance as part of a financial institution’s annual insurance review and budgeting process.

    Federal Issues FFIEC Privacy/Cyber Risk & Data Security Cyber Insurance Risk Management

    Share page with AddThis
  • Treasury Deputy Secretary Raskin Delivers Remarks On Cybersecurity and Insurance

    Privacy, Cyber Risk & Data Security

    On September 10, Deputy Secretary of the Treasury Sarah Bloom Raskin delivered remarks at the Center for Strategic and International Studies Strategic Technologies Program in Washington, D.C. After summarizing threats posed to U.S. companies and strategic interests, citing to notable recent cyberattacks, Raskin laid out the roles governments, the insurance industry, and state insurance regulators can take in responding to cyberattacks.

    Raskin noted that governments can facilitate information-sharing related to cyber threats and deter incidents through law enforcement and diplomatic engagement as well as by imposing financial sanctions on wrongdoers overseas. The insurance sector can gauge the risks and costs posed by cyber incidents and provide an important risk mitigation tool by allowing policyholders to transfer some financial exposure associated with cyber events. The insurance qualification and underwriting process also encourages businesses to engage in increased cybersecurity and risk-mitigation activities. Finally, state insurance regulators can assist response by setting standards for cybersecurity and the protection of the sensitive information of policyholders at the entities that they regulate.

    Department of Treasury Cyber Insurance Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Treasury Deputy Secretary Raskin Delivers Remarks on Cybersecurity in the Financial Sector

    Privacy, Cyber Risk & Data Security

    On July 14, Deputy Secretary of the Treasury Sarah Bloom Raskin delivered remarks at the American Bankers Association Summer Leadership meeting in Baltimore. Speaking on cybersecurity and cyber-resiliency in banking and the financial sector generally, Raskin’s remarks continued her December 2014 remarks in Austin at the Executive Leadership Cybersecurity Conference regarding three main areas, including (i) baseline protections, (ii) information sharing, and (iii) response recovery. According to Raskin, since December the growing number of cyberattacks – including against health insurers and the federal government’s Office of Personnel Management – has made the government and public more mindful of the serious threat posed by cyberattacks. Accordingly, cybersecurity has seen a “profoundly positive cultural change,” moving beyond just the purview of IT specialists. Deputy Secretary Raskin’s most recent remarks added 10 follow-up questions for banks and financial entities to consider, including whether cybersecurity is incorporated into the bank’s governance systems, security controls are tailored to specific cyber risks presented (as opposed to a “one-size fits all” approach), enhanced controls are implemented and adequate training provided, and basic “cyber hygiene” practices (including multi-factor authentication) are followed.  Raskin also emphasized the need to appropriately tailor cyber risk insurance.

    Privacy/Cyber Risk & Data Security Department of Treasury Cyber Insurance

    Share page with AddThis
  • Treasury Official Urges Banks to Consider Cyber Insurance, Assess Cybersecurity Readiness

    Privacy, Cyber Risk & Data Security

    On December 3, Deputy Secretary Raskin delivered remarks at the Texas Bankers’ Association Executive Leadership Cybersecurity Conference. During her prepared remarks, Raskin noted recent data security breaches across many business sectors, including financial services, and presented ten questions for bank CEOs to consider when assessing their institutions’ cybersecurity readiness. Notably, Raskin urged the bank executives to consider relatively new cyber risk insurance for the financial recovery it provides because the underwriting processes could enhance other cybersecurity controls and provide helpful information for assessing a bank’s risk level. Currently, over 50 insurance carriers offer some form of cyber insurance coverage. Raskin’s remarks come only weeks after Congressional leaders sent a letter to financial institutions requesting that they provide information about their ability to protect consumers and safeguard personal information in the event of a data breach or cyber-attack.

    Department of Treasury Risk Management Cyber Insurance Privacy/Cyber Risk & Data Security

    Share page with AddThis