In a recent column, I discussed cyber risks that could adversely affect bank and brokerage customers and explored the conditions necessary for development of actuarially sound insurance products at the retail level to protect individuals from the most catastrophic of cyberattacks to their accounts.
While new consumer-oriented insurance products are being offered to guard against cyberattacks, they don’t necessarily mitigate a consumer’s nightmare scenario. That scenario goes beyond having personally identifiable information stolen to having your bank’s digital records wiped out or otherwise corrupted by a malicious actor, eliminating any history of your account balances. So this is the question: would your bank or brokerage stand by you in the event of such an attack or is cyber risk insurance necessary?
{mosads}Regardless of the availability of cyber risk insurance for individuals, the threat to consumers flows from vulnerabilities within and across financial institutions. To the extent an individual’s bank or other financial services provider has strong institutional defenses, risk to individuals falls dramatically.
Fortunately, the financial sector has one of the most sophisticated network defenses of any sector and has been taking proactive steps to lessen the likelihood and impact of cyberattacks. Moreover, financial institutions are subject to considerable regulatory mandates governing the security and privacy of customer information, including intensive supervision of the adequacy of security controls, such as customer authentication and encryption, as well as backup plans and oversight of third-party providers.
Over the past few years, the Financial Services Information Sharing and Analysis Center (FS-ISAC) and other financial industry-led groups have collaborated with the U.S. Treasury Department and other federal agencies to conduct more than a dozen cyber exercises to assess the risks and impacts of attacks on the financial services sector. One of the outcomes from those cyber exercises, referred to as the Hamilton Series, is the launch of a private-sector initiative known as Sheltered Harbor.
Expected to be operational in the near future, Sheltered Harbor seeks to enhance the financial services industry’s resiliency capability in the event of a major disaster event and relies on the concepts of shared standards and mutual assistance. The concept for the initiative stems from a concern that a destructive malware attack (similar to the Sony Entertainment attack) could result in the intentional corruption of data. This could lead to uncertainty of the integrity of data. Sheltered Harbor is an effort to create standards that provide a fallout shelter for customer account information in formats that would permit accounts to be transferred to other institutions.
By adhering to Sheltered Harbor standards, a financial institution that is subject to a major cyberattack and unable to recover in a timely manner will enable its customers to access their accounts and balances from another participating financial institution. According to FS-ISAC, Sheltered Harbor members access specifications for common data formats, secure storage (“data vaults”) and operating processes to store and restore data, and receive a Sheltered Harbor acknowledgement of adherence to those specs. Current Sheltered Harbor membership covers more than 72 percent of U.S. retail bank and brokerage accounts.
In addition, the financial services sector has taken a number of other steps to enhance cyber defenses such as sharing data and developing cyber security incident response protocols. Looking ahead, further investment and public-private partnership in risk-based research and development continue to gain traction.
And back on the topic of insurance, while cyber risk policies for individuals remain nascent, the market is much more mature for businesses and financial institutions. Corporate demand for such insurance has surged, as has the number of insurance companies offering coverage in what has become a more than $2 billion industry.
For a financial institution, cyber insurance has the benefits of promoting risk and incident costs to be pooled with other insured institutions, transparency and forensics around incidence, and good cyber risk management and security practices. Combined with the other steps that either have been taken or are planned to enhance cyber protection, the financial sector is in a relatively strong position to defend against cyberattacks relative to other sectors of the economy.
On the matter of whether cybersecurity insurance can actually protect consumers from attack, the more pertinent question is whether an individual’s financial institution is taking appropriate steps to ensure continued services for customers in the event of a serious cyberattack. While risks remain, the actions being taken by the financial services industry offer much-needed assurance to consumers of the financial services and products that serve as the lifeblood of the U.S. economy.
Douglas Criscitello is a senior lecturer and executive director of the MIT Golub Center for Finance and Policy at MIT Sloan School of Management.
The views expressed by contributors are their own and are not the views of The Hill.