Cyber security and related privacy issues increasingly dominate the headlines. And for good reason: according to statistics cited in a recent Wall Street Journal article, cyber attacks –ranging from malicious software to denial of service attacks – increased 42% in 2012. The trend has only accelerated in 2013. As the possibility and potential scope of these types of attacks increases, these issues represent an increasing challenge for all companies and their management – and increasingly, their boards, as well.
The banking industry is the latest to receive the emphatic message that companies need to be taking steps to protect against cyber threats. According to a June 14, 2013 Wall Street Journal article entitled “A Call to Arms for Banks” (here), regulators are “stepping up calls for banks to better-arm themselves against the growing online threat that hackers and criminal organizations pose.” Regulators are increasingly concerned about attacks that might not only disrupt an individual bank but also the entire financial system.
Among other things, the Journal article reports that the OCC recently hosted a call with more than 1,000 community bankers “warning that cyber attacks are on the rise – particularly among small banks – as the number of potential targets expands.” Among other things, the banks were advised that they will be “judged on their preparation against cyber attacks when examiners gauge a bank’s operational risk.”
The message from regulators is not only that they expect the regulated institutions to take steps to guard against cyber exposures, but that the institutions will be held accountable for their shortcomings in this area. The expectations and the accountability are not limited just to the banking sector. According to the Journal article, last year the FTC filed a lawsuit against Wyndham Worldwide Corp. alleging that the hotel chain “failed to protect the credit-card information of its consumers.” (For those readers who may be interested, the FTC’s complaint in the action against Wyndham can be found here. )
Yet another recent Journal article underscored the extent to which cyber exposure involves companies in many industries. In a disturbing June 13, 2013 article entitled “Patients Put at Risk by Computer Viruses” (here), the Wall Street Journal reported the apparently increasing risk that medical devices could be infected with viruses or malware that could impair the devices’ function or expose potentially sensitive patient information by sending it to outside servers. The article cites several examples including an instance where in infected radiology device was sending mammography information to outside servers, including patent names, records of procedures and X-ray images.
These latter examples underscore how extensive and dispersed cyber threats have become in an era where devices are increasingly interconnected. Moreover, it is clear that regulators (among others) expect companies to take steps to protect against cyber exposures – and that regulators intend to hold companies accountable.
Given the extent of the operational and reputational risk that cyber exposures represent, these issues should be a priority topic for company managers – and for company boards. As on any other critical topic, directors should be asking questions and demanding accountability. This is going to be particularly true for companies whose products might be involved in the kinds of cyber incidents described in the Journal article about infiltrated medical devices.
In this environment, directors should be asking the questions to determine what steps their company is taking to assess and to protect against cyber exposures. One particular question directors should be asking their senior managers is what steps the company has taken to put insurance in place to protect against the problems that can arise when cyber incidents occur.
In the guidance that the SEC recently provided companies with respect to cyber-related disclosures, one item the SEC specifically emphasized that companies should be disclosing with respect to their potential cyber exposures is a “description of relevant insurance coverage.” Behind this disclosure requirement is the implicit assumption that companies will have insurance in place to respond to cyber incidents. With regulators bearing down on these issues and even filing regulatory actions, it is a matter of simple prudence for companies to have insurance in place designed to address these risks.
For that reason, as part of their overall assessment of these issues, directors will want to ask company management what insurance the company has in place to protect their company from loss arising from cyber-related exposures. In particular, because traditional insurance alone is not sufficient to protect against these risks, directors should determine that the company has a cyber liability insurance policy in place that provides protection against both first party costs (such as forensic IT services, notification costs, call center costs, and credit monitoring services) and third –party costs (such as might arise in a third-party liability lawsuit.
A good introductory summary to the limitations of traditional insurance and the need for the specialized cyber liability insurance to protect against these risks can be in a two part series by Roberta Anderson of the K&L Gates law firm entitled “Insurance Coverage for Cyber Attacks, ” which can be found here and here.
ICYMI: SEC Make Second Whistleblower Award: On June 12, 2013, the SEC made its second award under the Dodd-Frank whistleblower provisions. Under the provisions, whistleblowers whose tips to the SEC lead to enforcement judgments and awards over $1 million are potentially eligible for an award of from 10 to 30 percent of the sanctions. As reflected here, the SEC made its first award on August 21, 2012.
In a June 12, 2013 order in a Whistleblower Award Proceeding (here), the SEC determined that each of three whistleblowers is to receive an award of five percent of monetary sanctions collected. The three unnamed individuals had “voluntarily provided original information to the Commission that led to the successful enforcement” of an action against Audrey C. Hicks and Locust Offshore Management. (The SEC denied a whistleblower bounty award to a fourth person). In the enforcement action, which resulted in disgorgement and penalties total about $7.5 million, the SEC alleged that the defendants had sold shares in a fictitious offshore fund. The SEC’s press release announcing the award can be found here.
Even though the recent award was relatively modest and is only the second so far under the Dodd-Frank whistleblower provisions, observers believe the award indicates further awards will soon be forthcoming. Indeed, as reported in Bruce Carton’s June 12, 2012 Compliance Week article (here), the SEC official in charge of the agency’s whistleblower program recently told an industry conference that in the coming months the whistleblower program will produce “incredibly impactful cases” with “some extremely significant whistleblower awards.”
Upcoming Securities Litigation Webinar: On Wednesday June 19, 2013, at 2:00 am EDT, Financial Recoveries Technologies will be hosting a webinar entitled “The Evolving Securities Class Action Industry.” This free webinar will address the legal environment affecting class actions, fiduciary obligations for asset managers and standards in the claim filing industry. Speakers will include Boston University Law Professor David Webber, who recently posted an interesting article entitled “Institutional Investor Lead Plaintiffs in Mergers and Acquisitions Litigation” on the Harvard Law School Forum on Corporate Governance and Financial Regulation. The webinar panel will also include our good friend Adam Savett, who is CEO and Founder of TXT Capital. Registration Information for the webinar can be found here.