Emory Corporate Governance and Accountability Review
Cybersecurity Is Not a Product, It's a Process: Financial Service Regulators Hold Insurance Company Boards Responsible for Cybersecurity
Cybersecurity remains top of mind in the financial service industry. Hacking and breaches are ever present and it is clear that Corporate Boards of Directors have oversight responsibility for cybersecurity vigilance. Recently, in the financial service industry, insurance and banking regulators are issuing regulations and proposed regulations which set forth specifics for Boards as they exercise this oversight responsibility. The latest draft of the NAIC Insurance Data Security Model Law outlines the oversight role for the Board of Directors to ensure that there are adequate cybersecurity policies, technical staff, and annual reports provided to the Board. The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation have, late last year, released a Joint Advance Notice of Proposed Rulemaking for enhanced cyber risk management standards that reinforces the concept of Board Governance for Cybersecurity programs, oversight and reporting. We intend to present these Board governance requirements, their breath and the different approaches taken by each regulator, which all reinforce the common theme: the oversight responsibility of Corporate Boards of Directors for Cybersecurity.
Alice T. Kane & Phillip A. Goldstein,
Cybersecurity Is Not a Product, It's a Process: Financial Service Regulators Hold Insurance Company Boards Responsible for Cybersecurity,
Emory Corp. Governance & Accountability Rev.
Available at: https://scholarlycommons.law.emory.edu/ecgar/vol4/iss2/3