FROM THE OFFICE OF PUBLIC AFFAIRS

Good afternoon.

Let me begin by saying I am pleased and privileged to have this opportunity to speak before such a prestigious group of women executives. I especially want to thank Susan Bird and Cathy Kinney for making this possible. Your organization, Womenfuture, and your annual Main Event, truly reflect the new, dynamic business environment in which we all find ourselves -- an environment increasingly driven by global events and information. In my view, the ultimate test for all of us as leaders in our respective organizations will be how well we meet the challenges of this global environment. Nothing in my experience makes this more clear than the horrors of September 11.

I would like to share with you two issues I have been immersed in since that day: ensuring that businesses and households continue to obtain property and casualty insurance for acts of terrorism and protecting the nation's critical infrastructure.

Let me begin with insurance. Prior to September 11, virtually all property and casualty insurance policies -- commercial and household -- provided coverage for terrorist acts. In some sense, this was a freebie. Since the risk was thought to be quite small and there was virtually no actuarial basis for assessing the risk, the coverage was provided at no additional charge. All that changed on September 11.

Insurance companies absorbed billions of dollars of unanticipated losses that day. To its credit, the industry is stepping up to the plate and paying the resulting claims. Yet that day has caused a fundamental examination of what it means to insure terrorist acts.

After September 11, insurance companies have no sense of the risk distribution associated with possible future acts of terrorism. For the moment, the uncertainty associated with terrorism risk leaves the industry unable to assess and price risk. As a result, it is not the industry that is at risk, it is the economy. Insurance companies will - and some already have - reacted to this situation by either refusing to extend coverage for acts of terrorism or seeking exorbitant premiums for such coverage. At a time when we are working hard to stimulate our economy to get it moving again, left unresolved this situation would be a harmful drag on those efforts.

It is this risk to our economy that has driven our efforts to devise a temporary solution to what we hope is a temporary problem. Without a basis upon which to price terrorism risk, insurance companies will not offer the coverage or will offer it at rates that approach their maximum loss exposure. September 11 taught us that that potential loss exposure can be quite high indeed.

Without insurance, companies' credit position will deteriorate in the market. Borrowing costs will be driven up and new construction will be difficult to finance. Certain sectors, such as energy and transportation, may be particularly adversely affected. But higher energy and transportation costs would drive up prices and reduce production across the board. Even with insurance, drastic increases in insurance costs would lead to similar outcomes for the economy.

Thus, the Administration has been working closely with Congress, state insurance regulators, and industry to devise a temporary mechanism that would:

• Help the economy by diminishing the cost increases for insurance coverage while ensuring that terrorism risk insurance remains available to all property and casualty insurance policyholders;
• Limit federal intrusion into the private economic activity; and
• Continue to depend on the state regulatory infrastructure for insurance companies.

It is important to note that these objectives are premised on a short-term intervention by the federal government, not a new, permanent presence in the market. In fact, virtually everyone involved agrees that whatever solution we settle upon should have a clear exit strategy for the government and should encourage the insurance industry to build capacity to insure terrorist acts as the government recedes from the market.

Over the past several weeks, we have been working with the Congress to find an agreeable solution. The good news is that we have achieved a broad, bipartisan consensus that this is a critical situation that demands a quick federal response. The bad news is that we have not yet reached consensus on a particular approach.

Even this bad news, however, is not bleak. The Senate Banking Committee has announced a framework for legislation that the Administration has broadly endorsed. And in the House, Financial Services Chairman Oxley and Insurance Subcommittee Chairman Baker have introduced a bill, which the Committee approved last Wednesday. The House leadership hopes to move the bill to the floor this week. We are hopeful that the various approaches being discussed will soon be melded into a single package that can garner broad congressional support and be quickly enacted.

Yet this must get done quickly. The majority of insurance contracts expire at year-end and renewal notices for next year are being prepared and sent to policyholders. Every day counts. Thankfully, both congressional and Administration leaders understand this and are pressing forward to a solution.

My immersion in this new environment took an interesting route. When I arrived at Treasury this past summer to assume the duties of the Assistant Secretary for Financial Institutions my portfolio included responsibility for a program known as critical infrastructure protection, or CIP for short. This program found its roots in a 1997 report of a presidential commission that had studied the potential vulnerabilities of major sectors, or infrastructures, to the threats of non-traditional warfare, that is, cyber and other terrorist threats. The commission identified energy, telecommunications, transportation, and banking and finance as "critical sectors," meaning that the full or partial failure of any of these could significantly degrade the nation's social and economic welfare. The commission recommended that government work with each of these sectors to bolster their defenses against cyber and other attacks, and under Presidential Decision Directive 63 (PDD 63) in May 1998, Treasury was directed to work with banking and finance.

Treasury and the industry initially focused on the cyber threat, as this appeared to be the newest and least understood threat to the banking and finance infrastructure, and it was the threat most emphasized by PDD 63.

With respect to cyber security, significant accomplishments have been made as a result of

PDD 63. Among others, notable achievements include:

• establishment of the Banking and Finance Sector Coordinating Committee in 1998 to supervise the industry's various responsibilities under PDD 63; and
• establishment of the financial services information sharing and analysis center (FS/ISAC) in 1999 to permit members to anonymously share information on cyber threats, vulnerabilities, incidents and solutions.

But we learned some important new lessons from September 11. Let me discuss our priorities as we see them now, and what it means for banking and finance going forward.

On balance, the financial sector responded remarkably well to the September 11 events. For the most part, major financial institutions successfully activated their business continuity plans, and banking and payment systems remained open for business. Also, financial institutions worked well with regulators to test and reopen debt and equity markets quickly.

A great deal of this success is attributable to the work done in preparation for Y2K as well as the subsequent emphasis on critical infrastructure protection under the mandate of PDD 63 and the business continuity/contingency plans required by regulators. Nonetheless past emphasis on cyber threats meant that while most institutions had established redundant systems, not all of them were geographically distant from the primary site. Establishment of geographically remote back up sites for institutions that represent concentrated financial activity has become a major issue.

It also became clear that greater coordination between industry and all levels of government would be helpful. Regulators seemed to be in contact with each other and with their respective regulated institutions, but there was no central, authoritative source of information on the system as a whole. Moreover, there wasn't a commonly held list of "key contacts" to call at major financial institutions, key trade associations and government agencies in order to exchange authoritative information.

Going forward, it is clear that our earlier focus on cyber threats was too narrow, and that the CIP program will need to address the broad spectrum of physical and cyber threats. In this respect, financial institution regulators will be reviewing their existing business continuity guidance to assess gaps and otherwise update the guidance as needed. Moreover, there is general agreement within the industry and among regulators that we need to develop a comprehensive crisis management capability. This requires vulnerability assessment (physical and cyber), scenario analysis, contingency planning, gap analysis, and response and recovery procedures. This approach will be reflected in the banking and finance sector's final draft of its national plan.

High priority will be attached to developing a list of key points of contact among financial firms, government regulators and agencies (federal, state, local), industry utilities, and other providers (vendors) of critical services to banking and finance. Perhaps we need a secure, common call-in, or bridge number to facilitate communication among authorized parties. For its part, at the earliest possible date Treasury intends to establish and maintain a closed, secure communications network for itself and the primary federal regulators of financial institutions.

The FS/ISAC will need to reassess its current focus on cyber attacks to decide how to expand its mission to physical asset security and perhaps even comprehensive crisis management. This requires careful thought because the FS/ISAC fulfills a valuable role now and over-reaching could undercut its effectiveness. Whatever future role it plays, the FS/ISAC needs to expand its membership and build stronger information sharing links with federal agencies, other domestic ISACs, and even appropriate international entities.

President Bush recently established a new Critical Infrastructure Protection Board comprised of senior executive branch representatives. The Board is to recommend policies and coordinate programs for protecting information systems for critical infrastructures, including emergency preparedness communications, and the physical assets that support such systems. This Board will have a standing committee on banking and finance that will be led by the Treasury Department.

Until September 11, our CIP efforts were built on the twin pillars of private sector leadership and private sector innovation. Government's role had been principally to cajole and encourage, and to rely on industry to do what is best and right to protect itself. Certainly, government will be more active in the future.

As a concluding comment, I would like to observe that amidst the tragedy and horror of September 11 we have seen great leadership and heroism. We have been deeply inspired by the leadership of our President, whose ironclad determination to rid the world of this insidious new evil has instilled confidence and hope in us all. We have learned that American heroism is not some nostalgic footnote for 20th Century history books. On September 11 and its aftermath, we saw it in our firefighters and police officers, airline passengers and medical workers. We saw it in the men and women of New York's financial district, who toiled around the clock to re-open the financial markets, who defied the terrorists and demonstrated to the world that the capital markets -- the fuel of America's economy - would not be disrupted. They succeeded. You succeeded. This heroism -- your heroism -- deserves its rightful place in the annals of our nation's history as a magnificent example of American spirit and will.

The Herculean challenges we confronted in the weeks immediately succeeding September 11 are now, fortunately, behind us. But our work is far from done. The ongoing private-public partnership to protect the nation's critical infrastructures, including the protection of our banking and finance sector, will be a major pre-occupation for the foreseeable future. I look forward to working with you in that endeavor.