I recently had a meeting with the board of a publicly traded company. Among the topics I knew that I would be asked to address at the board meeting is the growing risk of cyber liability. In my preparation for the board meeting, I came across a recent article by D&O maven Dan Bailey, a partner in the Bailey Cavalieri law firm, entitled "Cyber Risks: New Focus for Directors" which talks about companies' growing cyber liability exposures and directors' roles as companies try to address these exposures. I found Dan's article so helpful that I contacted him to see if he would be willing to publish the article on this site. I am pleased to report that Dan agreed to allow me to publish the article, which is reproduced below.
I would like to thank Dan for his willingness to publish his article on this site. I welcome guest posts from responsible commentators on topic of relevance to this blog. Readers interested in publishing a guest post are encourage to contact me directly. Here is Dan's article:
Cyber risks have become a major potential loss exposure for most corporations. Although nonexistent just a few years ago, most companies today are vulnerable to a growing list of threats relating to technology misuse. Not surprisingly, as businesses have become more reliant on technology, the resulting risks have become far more complex and potentially harmful.
Threats from hackers, thieves, third-party contractors, competitors and employees, as well as inadvertent misuse or loss of data, present potentially catastrophic financial and reputational risks to companies today. Even the most vigilant company can be a victim of a data breach or other cyber loss. Class action lawsuits, huge forensic and mitigation costs, notification and credit monitoring services and data restoration efforts can result in tens or even hundreds of millions of dollars of loss to a company. State attorneys general, federal and state regulators and plaintiff lawyers are all likely and formidable adversaries to the company if something goes wrong. In addition, the company’s computer systems may need to be shut down and business operations may be interrupted.
Like any other major risk exposure, directors should monitor the company’s cyber risks and confirm that reasonable steps are being taken to identify, prevent, mitigate and respond to cyber-related problems when they arise. Because these risks can damage not only the company but its customers, suppliers, other constituents and even the public, extra caution is necessary. Plus, new federal and state statutes and regulations are being adopted with increasing frequency which mandate appropriate company risk management practices in this area.
Directors are not expected to fully understand all of the risks, and all of the company’s risk management responses, in this highly technical area. However, directors should at a minimum comply with laws expressly applicable to them, should ask informed questions to gauge the company’s focus and preparedness in this area, and should generally understand the extent to which the company is insured—or not insured—for these exposures. The following discussion summarizes (i) new guidance from the SEC relating to cybersecurity risk disclosures, (ii) a sweeping new FTC rule relating to identity theft protection programs which requires board of director action, (iii) various questions a reasonably diligent director could ask to assure the company’s cyber risks are being properly addressed, and (iv) the types of insurance policies now available which cover—and do not cover—cyber risks.
A. SEC Disclosure Guidance
On October 13, 2011, the SEC’s Division of Corporation Finance released “CF Disclosure Guidance: Topic No. 2 – Cybersecurity.” That “Guidance” summarizes the SEC’s views regarding a company’s disclosure obligations relating to cybersecurity risks and incidents. It does not change existing disclosure law, but merely explains the SEC’s interpretation of that existing law to the evolving topic of cybersecurity.
The Guidance defines “cybersecurity” as “the body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access.” The Guidance recognizes that no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, but that “a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.” The Guidance also notes that material information regarding cybersecurity risks and cyber incidents “is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.” The Guidance then highlights the following specific disclosure obligations that may require a discussion of cybersecurity risks and cyber incidents:
- Risk Factors.Consistent with the Regulation S-K Item 503(c), cybersecurity risk disclosures must adequately describe the nature of the material risks and specify how each risk affects the registrant. The Guidance specifically mentions that to the extent material, appropriate disclosures may include a description of relevant insurance coverage.
- MD&A. Registrants should address cybersecurity risks and cyber incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect.
- Description of Business. If one or more cyber incidents materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in this section.
- Legal Proceedings. If a material pending legal proceeding involves a cyber incident, the registrant may need to disclose information regarding such litigation in this section.
- Financial Statements. The Guidance reviews a number of situations in which cybersecurity risks and cyber incidents could impact a company’s financial statement disclosures, including disclosures regarding accounting treatment, depending on the nature and severity of the actual or potential incident.
- Disclosure Controls and Procedures. Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures.
The Guidance is not a new disclosure rule and should not be viewed as creating additional disclosure obligations, or expanding a public company’s existing disclosure obligations, regarding cybersecurity. However, in any shareholder litigation arising from a cyber incident, plaintiffs will undoubtedly challenge the disclosures based on this new Guidance.
The intent and focus of these new Guidelines is to provide better clarity to public companies with respect to what disclosures are required by existing laws and regulations with respect to cyber risks and incidents. Obviously, the SEC wants shareholders to be informed about what harm has or could occur to the company with respect to cyber matters. In making those disclosures, the SEC recognizes that a company may need to disclosure what relevant insurance coverage the company maintains in order to put the risk disclosures into proper context (i.e. the existence and disclosure of insurance will tend to offset some of the potential harm to the company arising from the cyber risks being disclosed).
This new SEC Guidance, by itself, should not materially impact a company’s insurance purchasing decision. Like other areas of risk management, the ultimate question is whether a company believes it is prudent to transfer some of its cyber risk via an insurance product. That is a classic business decision that typically is protected from judicial second-guessing via the business judgment rule. The SEC is not now suggesting that companies should or should not purchase cyber insurance, but is merely stating that in order to present a full picture of a company’s “net” cyber exposure, a description of any relevant insurance coverage may need to be included in the company’s cyber disclosures.
Companies are struggling with how to respond to this new SEC guidance since cyber risks and cyber incidents are so difficult to predict, evaluate, quantify and describe. However, it is clear that there will be more cyber-related disclosures in the future than has occurred in the past. Because of that, companies may want to mitigate shareholder concerns arising from those additional cyber disclosures by purchasing and disclosing the existence of cyber insurance. Although disclosing insurance information in some contexts is not desirable because it may serve as a lightning rod for claims against the Insureds, that risk here should be minimal since most of the loss covered by a cyber policy would very likely be incurred with or without the policy existing and being known by third parties (i.e., the disclosure of a company’s cyber insurance should not attract claims that would not otherwise be filed as a result of a covered cyber incident).
B. FTC “Red Flags Rule”
Effective December 31, 2010, the so-called FTC “Red Flags Rule” (16 CFR 681) requires a wide variety of companies to adopt Identity Theft Protection Programs that identify warning signals which should alert a company to the risk of identity theft, and that detect, mitigate and deal with identity thefts when they occur. Importantly, the new Rule states that the Identity Theft Protection Program must be approved by the company’s board of directors or an appropriate committee designated by the board.
This new Rule applies to financial institutions and “creditors” with “covered accounts.” A “creditor” is broadly defined to mean “any person who regularly extends, renews or continues credit.” This definition appears to cover a wide variety of entities (including public utilities) that extend credit or give credit terms, such as permitting payment at the end of the month for goods or services rendered throughout the month. As a result, any company that permits deferred payments appears to be a “creditor” under this new FTC Rule. For example, if the company issues a bill and receives payment subsequent to the provision of the goods or services, that company probably is a “creditor” under this Rule. A “covered account” is likewise defined very broadly in the Rule to include an account offered primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions. A “covered account” also includes any business account if identity theft with respect to that account presents a reasonably foreseeable risk to consumers or to the safety and soundness of the company.
Under the Rule, larger and higher-risk entities must have a more comprehensive Identity Theft Protection Program than smaller or lower-risk entities. These Programs must include the establishment, testing and deployment of an effective program to identify and act upon “red flags” which alert the company to identity theft or the potential for identity theft. Merely adopting a program without proactive enforcement and oversight does not satisfy the Rule. Directors should carefully review the Identity Theft Protection Program recommended by management and should, before approving that Program, assure themselves that the Program is reasonably robust, sufficiently tailored to the unique circumstances of the company, is properly funded and staffed, and will be periodically reviewed by senior management and the board for effectiveness.
C. Cyber Risk Questions for Directors
For many companies, cyber risks represent one of the most volatile and potentially damaging exposures to the company. However, because these risks are so new, evolving and complex, many boards have given little if any attention to these risks. Although each company faces unique cyber risks and therefore each company’s response to these risks should be unique, the following summarizes 10 important questions which directors could ask in order to better understand these risks and whether the company is adequately responding to these risks.
- Is the responsibility and accountability for the creation, implementation, enforcement and updating of an integrated and company-wide cyber risk management program clearly defined at the executive level?
- Does the management team which addresses cyber risks include senior representatives from executive management, IT, legal, risk management, public relations and compliance/audit?
- Is the overall cyber risk management program periodically reviewed by the board?
- Does a board committee have designated oversight responsibility for the cyber risk management program?
- What are the company’s greatest cyber risks and how are those risks being anticipated, managed and mitigated?
- Is each component of the cyber risk management program documented, frequently tested and periodically audited by independent experts, and what are the results of that testing and audit?
- Are protocols for reacting to a cyber risk crisis when it occurs well defined and broadly understood?
- Are all employees required to participate in regular education and training programs relating to cyber risks?
- What is the company’s budget and staffing for cyber risk management and how does that compare with peer companies?
- What, if any, insurance coverage does the company maintain for cyber risks and is that coverage adequate in scope and amount?
D. Insurance Coverage
Directors should understand the extent to which the company is insured or uninsured for potentially severe cyber-related losses. Like other large risk exposures, quality insurance coverage with adequate limits of liability can greatly mitigate the ultimate impact of a cyber loss to the company’s financial health. In addition, many companies contractually require their vendors to maintain network security insurance which covers the vendor’s liability to the contracting company for accidental or criminal losses caused by the vendor. As a result, a company’s cyber insurance coverage should reflect both the company’s risk management philosophies and contractual obligations.
Traditional insurance policies maintained by a company typically provide very little, if any, coverage for many types of cyber risk. Standard commercial general liability (“CGL”) policies usually only cover damage to “tangible property” and therefore would not respond to loss or injury to intangible property. Although some limited coverage may exist under these policies for “personal injury” or “advertising injury,” many recent CGL policies (including the newest standard ISO general liability policy form) specifically exclude various types of cyber risk.
Likewise, a company’s crime or fidelity policy may have limited applicability depending upon the nature of the cyber-related loss. But, if the cyber risk results in a claim against directors and officers, the company’s D&O insurance policy likely will respond because those policies generally afford “all risk” coverage, subject to several exclusions. The most likely exclusion in a standard D&O policy which potentially could apply to a cyber claim is the property damage exclusion. However, like the scope of coverage under the CGL policy, the scope of this exclusion in the D&O policy is usually limited to damage to “tangible” property, so the exclusion should be inapplicable to most cyber claims.
To address these likely gaps in insurance coverage for the company, many insurance companies now offer various types of insurance policies specifically designed to cover cyber risks. These policies frequently cover both third party claims against the insureds, and first party losses incurred by the insureds, relating to a wide variety of cyber risks. These policies vary greatly among insurers and are still evolving. Because the types of cyber risks are constantly changing and because the policy language in these new types of policies is still largely untested, the exact contours of these newer policies are still being refined.
The third party coverage contained within these cyber policies usually applies to defense costs, settlements, judgments and other loss incurred in claims against the insureds by customers or other third parties if the alleged loss results from a broad range of wrongdoing by the company in connection with computer system, internet or other information-related matters, including breach of privacy due to theft, loss or misuse of data (including credit card, financial or health-related data); conduct which causes network systems to be unavailable to third parties or susceptible to computer virus or other third party attacks; or libel, slander, defamation, plagiarism, copyright or trademark infringement or other injuries resulting from “media” activities.
Examples of first party coverages in cyber policies include business interruption coverage for loss of business income as a result of an attack on the company’s network; cyber extortion coverage; public relations coverage associated with restoring public confidence following a cyber incident; cyber terrorism coverage; identity theft coverage for misuse or loss of confidential or private information; data restoration coverage; and coverage for notifying affected parties, providing credit monitoring services, incurring forensic costs to determine how the breach occurred, and restoring damaged hardware or software.
Cyber risk policies can be tailored to fit the unique exposures and needs of a particular company. Once a company identifies its most troubling cyber risk exposures, the company should work with an experienced cyber insurance broker to define and negotiate the desired coverage features and the appropriate insurance markets for that coverage. Like other types of negotiable insurance products, knowing what to ask for is extremely important to getting what you need.