Financial Services Law

Treasury Official Advocates for Cyber Insurance

Why it matters

Reflecting the continued regulatory focus on cyber risks, Deputy Secretary of the Treasury Sarah Raskin has some advice for banks: buy cyber insurance. Speaking at the Texas Bankers’ Association Executive Leadership Cybersecurity Conference, Raskin said the lesson from recent high-profile data breaches (including JPMorgan Chase’s 83 million hacked records) should be consideration of cyber risk insurance. In addition to the financial recovery the insurance can provide, the underwriting process itself can help financial institutions more adequately assess their risk level and cybersecurity controls, she said. “Ideally, we can imagine the growth of the cyber insurance market as a mechanism that bolsters cyber hygiene for banks across the board,” Raskin told attendees. “We have learned from these attacks that the prevalence of cyberrisk creates a persistent and complex challenge for financial institutions spanning the sector, including financial institutions of all types and all sizes.”

Detailed discussion

Focusing her remarks on the cybersecurity of the nation’s banks, Raskin first explained the mission of the U.S. Department of the Treasury: “Our ultimate goal is to instill confidence and show that the government – working in appropriate collaboration with the private sector – is defending the American public from damage caused by cyber attacks.”

To that end, Raskin provided a checklist with ten questions for CEOs, with concrete steps for banks to take before an attack occurs. The road map began with some baseline protections intended to prevent penetration of networks and systems as well as limit damage in the event of unauthorized access.

Bank leadership should ask whether cyber risk is part of the bank’s current risk management framework, whether the bank follows the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity, and whether the bank is aware of the cyber risks it is exposed to by vendors and third-party service providers, the Deputy Secretary said.

The fourth question relating to baseline protections: “Do we have cyber insurance? And if we do, what does it cover and exclude? Is our coverage adequate based on our cyber risk exposure?” Raskin noted that while the cyber insurance market is relatively new, it is growing, with more than 50 carriers now offering some type of cyber insurance coverage for organizations ranging from small institutions to Fortune 500 companies.

“Cyber insurance cannot protect your institutions from a cyber incident any more than flood insurance can save your house from a storm surge or D&O insurance can prevent a lawsuit,” she explained. “But what cyber risk insurance can do is provide some measure of financial support in case of a data breach or cyber incident. And, significantly, cyber risk insurance and the associated underwriting processes can also help bolster your other cybersecurity controls. Qualifying for cyber risk insurance can provide useful information for assessing your bank’s risk level and identifying cybersecurity tools and best practices that you might be lacking.”

Raskin also discussed the need to engage in basic cyber hygiene (knowing all of the devices connected to the networks, for example, or patching software on a timely basis) as well as the importance of information sharing, highlighting recent recommendations from the Federal Financial Institutions Examination Council.

For the final category of questions, response and recovery, the Deputy Secretary advised bank CEOs to query whether a cyber incident playbook and point person are in place should an attack occur and what roles senior management and the board play in managing and overseeing the cyber incident response. The logistics of engaging with law enforcement after a breach as well as when and how to inform customers, investors, and the general public in the wake of an incident should also be considered, with transparency as a key factor.

To read Deputy Secretary Raskin’s remarks, click here.

back to top

New York Banks Face New Cybersecurity Exam Process

Why it matters

Adding to the banks’ compliance obligations, effective immediately, banks chartered or licensed in New York will now face an updated cybersecurity examination process, Superintendent of the Department of Financial Services (DFS) Benjamin M. Lawsky announced in a memorandum. “The Department encourages all institutions to view cybersecurity as an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology,” Lawsky wrote. Additions to regulatory examinations will cover areas ranging from protections against intrusion and the configuration of servers and databases to the organization and reporting structure for cyber security issues. “It is our hope that integrating a targeted cybersecurity assessment directly into our examination process will help encourage a laser-like focus on this issue by both banks and regulators,” Lawsky said in a statement. “Cyberhacking is a potentially existential threat to our financial markets and can wreak serious havoc on the financial lives of consumers. It is imperative that we move quickly to work together to shore up our lines of defense against these serious risks.” Given this development, it is essential for affected banks to make cybersecurity exams a priority, and the focus of attention from the board level on down.

Detailed discussion

To promote greater cybersecurity across the financial services industry, the DFS said that information technology (IT) examinations will include a host of new topics related to cybersecurity.

Included in the list: corporate governance, including organization and reporting structure for cybersecurity-related issues; the management of cybersecurity issues (such as the interaction between information security and core business functions, written information security policies and procedures, and periodic reevaluations in light of changing risks); and review of the resources devoted to information security and overall risk management.

The risks posed by infrastructure and protections against intrusion as well as information security testing and monitoring and incident detection and response processes will also be lines of inquiry by the Department.

Has information security been integrated into the business continuity and disaster recovery policies and procedures? The DFS will ask financial institutions this question, and check the training of information security professionals, the management of third-party service providers, and consider the use of any cybersecurity insurance coverage or other third-party protections.

In addition to broadening the scope of exams, the memorandum also put New York banks on notice of a change in the process with, an IT/cybersecurity exam following the comprehensive risk assessment of each institution.

As part of the exam, the DFS will request the CV and job description of the bank’s Chief Information Security Officer or the information security point person, complete with a description of the individual’s training and experience, documenting all reporting lines for that person along with an organization chart for the institution.

All policies and procedures related to information security must be provided as part of the exam, along with a description of how data classification is integrated into the information risk management policies and procedures. The bank’s vulnerability management program (as applicable to servers, endpoints, mobile devices, network devices, systems, and applications) as well as the patch management program should also be detailed for the DFS.

Banks also will be required to explain the due diligence process in place for “vetting, selecting, and monitoring third-party service providers,” as well as provide a copy of the organization’s incident response program with steps for how an incident is reported, escalated, and remediated.

Finally, the regulator will request any “significant changes” to the institution’s IT portfolio over the last 24 months as a result of a merger, acquisition, or new business line.

back to top

OCC Report Highlights Wide Range of Potential Risks

Why it matters

The OCC’s most recent report on current key risks should be read by all banks, regardless of size or regulator, as a road map in preparing for the next examination. Few banks would ever admit they may have eased their loan underwriting standards or practices. However, they must be prepared to prove the negative in the next exam if any loan growth might suggest otherwise to an examiner. And if the bank does any auto lending, expect a full-body-scan exam of that line of business. Further, if a bank is looking at any new fee income opportunities, it would be best to reach out to the bank’s examiners early and make them a partner in the bank’s planning and not just a Monday-morning quarterback. Finally, if the Board of Directors has not undertaken thorough, and likely costly, third-party review projects and implemented changes for IT and cyber risk, and heightened BSA due diligence for high-risk customers, fair lending compliance and enterprise-wide risk management and governance, the Board most likely can expect Management Required Action findings for those areas if not worse criticisms and recommended enforcement action in the next report of examination.

Detailed discussion

The OCC’s Semiannual Risk Perspective for Fall 2014 highlighted several areas of risks facing the federal banking system.

Declining revenues and profitability have resulted in increasing credit risk in the banking sector, the regulator found. Coupled with rising competition for limited lending opportunities, the OCC “has observed weak underwriting standards,” especially in areas such as direct and indirect auto lending, commercial and industrial loans, and asset-based lending, as well as increases in policy and underwriting exceptions.

Another worry for the OCC: a prolonged low-interest-rate environment. Expressing concern about future vulnerability, the report features a special section with data collected to study bank-reported interest rate sensitivities. “Banks that extend asset maturities to pick up yield could face significant earnings pressure and potential capital erosion depending on the severity and timing of interest rate moves,” the regulator wrote.

In an effort to generate revenue and compete with nonbank firms, some banks are reevaluating “business models and risk appetites,” the OCC noted. Efforts to lower overhead expenses include the outsourcing of critical control functions to third parties and the leveraging of technology through cloud computing and mobile banking.

Yet even as banks continue to expand their third-party relationships and permit employees access to systems with personal devices such as mobile phones and tablets, they are failing to incorporate cybersecurity considerations into their overall governance, risk management, or strategic planning process, the OCC said. To ensure that banks establish and follow appropriate risk management processes along the way, examiners “will focus on banks’ strategic planning,” the report noted.

As for BSA/AML risks, the OCC explained that bank fraud methodology continues to grow and evolve. As a result, banks “are expected to incorporate appropriate controls to oversee new products and services, and higher-risk customers,” the agency said.

Over the next 12 months, the report outlined the areas of heightened supervisory focus by the OCC. For large banks, corporate governance and oversight, operational risk (including cybersecurity and data protection), and credit underwriting top the list. For community and midsize banks, the regulator will key in on strategic planning and execution (assessing whether banks’ plans are realistic and appropriate, for example), corporate governance, stress testing, operational risks, and cyber threats.

To read the OCC’s Semiannual Risk Perspective, click here.

back to top

FDIC Releases FAQ on Brokered Deposits

Why it matters

The Federal Deposit Insurance Corporation (FDIC) started 2015 by releasing new FAQs for brokered deposits, which address issues such as the definition of a “deposit broker” and when the “primary purpose” exception applies. The FDIC reiterated its view on brokered deposits, stating that they “can be a suitable funding source when properly managed as part of an overall, prudent funding strategy.” However, the agency expressed concern about the overuse and improper management of brokered deposits, particularly when banks use them to fund “unsound or rapid expansion of loan and investment portfolios.” Banks should review the FAQs in light of the updated, broadened scope of the standards to determine whether they are accepting brokered deposits and adjust their policies accordingly.

Detailed discussion

The new FAQs start by addressing what constitutes a “brokered deposit.” Because FDIC regulations define a brokered deposit as “any deposit that is obtained, directly or indirectly, from or through the mediation or assistance of a deposit broker,” the FAQs clarify that one must look to the definition of “deposit broker” in order to determine whether there is a “brokered deposit.” The FAQs state that subject to certain exceptions, the broad definition of deposit broker includes “any person, company or organization engaged in ‘placing deposits’ belonging to others, or ‘facilitating the placement of deposits’ belonging to others, at an insured depository institution.” The FAQs then clarify that as a result of this broad definition, a brokered deposit may be “any deposit accepted by an insured depository institution from or through a third party, such as a person or company or organization other than the owner of the deposit.”

A third party may qualify as a deposit broker even if it receives no fees or other direct compensation, the FDIC said, and fee structure is just one of several factors – such as the nature of the fees, the purported purpose of the fees, and the degree of involvement by the third party in placing the deposits – used when considering the issue.

The regulator also adopted an expansive perspective on what constitutes “facilitating the placement of deposits,” which the FAQs said can include companies that provide marketing for an insured depository institution in exchange for volume-based fees; insurance agents, lawyers, or accountants that refer clients to a bank; and even other banks that are part of a bank network.

For example, where a customer deposits $1 million into his or her institution and the customer’s bank moves $750,000 to three other banks in its network to maximize the deposit insurance limits, the bank acts as a deposit broker, the FDIC explained.

Several exceptions are delineated in the FAQs, ranging from employees of the insured depository institution that place funds with their employer (although not a contractor or dual employee) to the trustee of a pension or other employee benefit plan handling the plan’s funds.

The “primary purpose” exception to the definition of deposit broker applies to “[a]n agent or nominee whose primary purpose is not the placement of funds with depository institutions.” This exception applies only infrequently, the FDIC said, and typically requires a specific request for a determination by the regulator.

Companies that sell or distribute general-purpose prepaid cards do not fall under the exception, while companies that distribute debit cards with multiple purposes (a debit card that also functions as a college ID card, for example) may be classified as a deposit broker, depending on the specific circumstances. A company that does receive the exemption: a distributor of prepaid cards as part of a rebate program, according to the FAQs.

A deposit is “accepted” when the insured depository institution receives the funds and the renewal or rollover of an account qualifies as an acceptance of deposit. So if an institution ceases to be well capitalized, it must close brokered deposit accounts that never mature or renew or refuse to roll over or renew a brokered CD, the FDIC said.

The FAQs also address interest rate restrictions and how the prevailing rate is calculated for a local market area, as well as the application process to obtain a waiver from the FDIC to accept brokered deposits.

To read the new FAQs issued by the FDIC, click here.

back to top

Insured v. Insured Exclusion Ambiguous When Applied to FDIC, 11th Circuit Rules

Why it matters

In the continuing split among courts considering Insured v. Insured exclusions, the Eleventh U.S. Circuit Court of Appeals recently found such an exclusion ambiguous and reversed summary judgment in favor of the insurer. The underlying dispute involved a failed bank and a lawsuit brought by the Federal Deposit Insurance Corporation (FDIC) as receiver against former officers of the institution. The district court ruled that the insurer had no obligation to defend the officers under the Insured v. Insured exclusion. The Eleventh Circuit reversed on the ground that it was ambiguous whether the exclusion applies when the FDIC, as the bank’s receiver, brings claims against insureds. This case is significant not only because it further continues the split of judicial opinions on the question, but also because it found that the most compelling evidence of the ambiguity was “that courts who have addressed similarly worded insured vs. insured exclusions have reached different results.”

Detailed discussion

In 2010, Georgia-based Community Bank & Trust failed and the FDIC was appointed as receiver. In its capacity as receiver, the FDIC filed suit against two former bank officers, Miller and Fricks, asserting that they had approved loans in violation of the bank’s loan policy and prudent lending practices, causing damages of $15 million.

Miller and Fricks tendered the suit to St. Paul Mercury Insurance Company, the bank’s D&O insurer. In response, St. Paul filed a declaratory judgment action in Georgia federal court seeking a declaration that coverage was barred due to the policy’s Insured v. Insured exclusion.

The exclusion provided: “The Insurer shall not be liable for Loss [including Defense Costs] on account of any Claim made against any Insured: … 4. Brought or maintained by or on behalf of any Insured or Company in any capacity.”

The district court judge ruled that the exclusion was unambiguous and that St. Paul had no duty under the policy to defend or indemnify the officer defendants. The FDIC appealed.

The exclusion itself makes no references to the FDIC, regulators, or any liquidating entity. The FDIC argued that, as receiver, it “steps into a number of pairs of different shoes” – it acts on behalf of the bank, but also on behalf of stockholders, accountholders, depositors and other creditors. As such, it is not a mere successor to an “Insured” for purposes of the exclusion.

St. Paul countered that the exclusion was unambiguous and that by bringing a claim in the bank’s behalf, the FDIC was stepping into the bank’s shoes and is subject to all defenses that could have been asserted against the bank.

Although the FDIC made a number of arguments as to why the exclusion is ambiguous, the Eleventh Circuit found that “the most compelling argument is that courts who have addressed similarly worded insured v. insured exclusions have reached different results.” The fact that multiple courts themselves have adopted multiple, inconsistent interpretations of the same exclusionary language demonstrates that the insured v. insured exclusion is ambiguous as it applies to the FDIC in its role as receiver.

Remanding the case to the district court, the panel noted that it might be necessary to consider extrinsic evidence to determine the intent of the parties.

To read the opinion in St. Paul Mercury Ins. Co. v. FDIC, click here.

This article originally appeared in Manatt’s Insurance Recovery Law Newsletter on January 14, 2015. Please click here to read the full issue.

back to top