From The Hill
In a recent column, I discussed cyber risks that could adversely affect bank and brokerage customers and explored the conditions necessary for development of actuarially sound insurance products at the retail level to protect individuals from the most catastrophic of cyberattacks to their accounts.
While new consumer-oriented insurance products are being offered to guard against cyberattacks, they don’t necessarily mitigate a consumer’s nightmare scenario. That scenario goes beyond having personally identifiable information stolen to having your bank’s digital records wiped out or otherwise corrupted by a malicious actor, eliminating any history of your account balances. So this is the question: would your bank or brokerage stand by you in the event of such an attack or is cyber risk insurance necessary?
Regardless of the availability of cyber risk insurance for individuals, the threat to consumers flows from vulnerabilities within and across financial institutions. To the extent an individual’s bank or other financial services provider has strong institutional defenses, risk to individuals falls dramatically.
Fortunately, the financial sector has one of the most sophisticated network defenses of any sector and has been taking proactive steps to lessen the likelihood and impact of cyberattacks. Moreover, financial institutions are subject to considerable regulatory mandates governing the security and privacy of customer information, including intensive supervision of the adequacy of security controls, such as customer authentication and encryption, as well as backup plans and oversight of third-party providers.
Over the past few years, the Financial Services Information Sharing and Analysis Center (FS-ISAC) and other financial industry-led groups have collaborated with the U.S. Treasury Department and other federal agencies to conduct more than a dozen cyber exercises to assess the risks and impacts of attacks on the financial services sector. One of the outcomes from those cyber exercises, referred to as the Hamilton Series, is the launch of a private-sector initiative known as Sheltered Harbor.
Expected to be operational in the near future, Sheltered Harbor seeks to enhance the financial services industry’s resiliency capability in the event of a major disaster event and relies on the concepts of shared standards and mutual assistance. The concept for the initiative stems from a concern that a destructive malware attack (similar to the Sony Entertainment attack) could result in the intentional corruption of data. This could lead to uncertainty of the integrity of data. Sheltered Harbor is an effort to create standards that provide a fallout shelter for customer account information in formats that would permit accounts to be transferred to other institutions.
Read the full post at The Hill.
Doug Criscitello is the Executive Director of MIT’s Center for Finance and Policy and a Senior Lecturer at the MIT Sloan School of Management.