“Cyberinsurance Mandates Coming?”

Maybe, but they’ll probably be much less controversial than the last big insurance mandate – er, tax.  There is a growing consensus that the Securities and Exchange Commission is inching toward a cyberinsurance requirement for institutional money managers.  Many think that this is a move in the right direction.

In a recent article, Rick Baert discussed the increasing frequency with which money managers are purchasing cyber security insurance, with the percentage of managers carrying the coverage growing from 5% in 2014 to 30% in 2015.  At the same time, the SEC has been conducting more frequent manager reviews under its Regulation Systems Compliance and Integrity Rule.  In those reviews, the SEC has consistently asked whether managers have cyber coverage and, if so, in what amount.  Some see the question simply being posed as the writing on the wall – cyberinsurance will soon become mandatory for money managers.

What about everyone else?

The rationale for requiring money managers to carry coverage is simple.  Managers rely on technology as a critical component of their business, they store a lot of valuable information electronically and they deal with assets that are critically important to their clients – their, well, assets.  This reasoning, however, could easily be extended to other professions.  Doctors, accountants and lawyers all use technology, store valuable electronic information and keep files containing clients’ most important and most sensitive information.  Which begs the question – if a cyberinsurance requirement falls in the money manager forest, will it make an impact in other industries?

There is a similar push in the retail banking industry, with New York State as the first to expressly make cyberinsurance part of its IT/cybersecurity examination for New York chartered or licensed banking institutions.  It’s not hard to imagine other states, and other industries, following that lead.

And if they don’t, it’s not hard to imagine them being forced to do so.