Cyber Liability

Subscribe to Cyber Liability via RSS
Arlene Levitin

As readers of this blog know well, cybersecurity issues can be an important potential source of directors’ and officers’ liability risk exposure. In the following guest post, Arlene Levitin, Esq., takes a detailed look at the many ways that cybersecurity-related issues can translate into D&O liability risk and insurance concerns, particularly with advent of artificicial intelligence technology. Arelene is Claims Officer, Complex Management Liability, NAS Financial Lines Claims, Liberty Mutual Insurance. I would like to thank Arlene for allowing me to publish her article as a guest post on this site. Here is Arlene’s article.Continue Reading Guest Post: Cybersecurity Risks & the Potential Impact on D&O Insurance

Chris Quirk

In the following guest post, Chris Quirk, a wholesale broker at ARC Excess & Surplus, part of CRC Group, takes a detailed look at the cyber liability insurance implications of text messaging fraud schemes. I would like to thank Chris for allowing me to publish his article as a guest post on this site. Here is Chris’s article.Continue Reading Guest Post: Insuring Against SMS Pumping Schemes

Sarah Abrams

In the following guest post, Sarah Abrams, Head of Claims Baleen Specialty, a division of Bowhead Specialty, takes a look at recent changes in the DOJ’s Data Security Program (DSP) and discusses the D&O liability and insurance implications. I would like to thank Sarah for allowing me to publish her article as guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Sarah’s article.Continue Reading Guest Post: Company Data Secure? The DOJ is Checking

A new wave of AI-powered scams is targeting companies by impersonating their most trusted leaders – the CEO, the CFO, and other senior executives. Cybercriminals are now using generative AI tools to create hyper-realistic video and audio deepfakes of company executives to trick lower-level employees into handing over millions of dollars in cash, critical data, and other business assets. While these kinds of scams aren’t necessarily new, AI language and image models are making the scams increasingly effective and more prevalent, according to a recent Wall Street Journal article. The August 18, 2025, article, entitled “AI Drives Rise in CEO Impersonator Scams,” can be found here.Continue Reading The Growing Threat of AI Deepfake Attacks

Well-advised companies know that among their key corporate risks are potential liability exposures arising from or related to cybersecurity. A recent U.S. Department of Justice enforcement action highlights the fact that corporate cybersecurity risk may take a number of forms, including, as was the case in the recent matter, potential False Claims Act (FCA) liability for cybersecurity vulnerabilities in products sold to the federal government. The fact that the recent case, involving life sciences company Illumina, settled for $9.8 million, underscores the seriousness of this cybersecurity-related liability FCA exposure.Continue Reading Cybersecurity and False Claims Act Liability Exposure

In the immediate aftermath of the Delaware Supreme Court’s 2019 decision in Marchand v. Barnhill, which revitalized so-called Caremark claims for breach of the duty of oversight, one question I was asked was whether claimants might seek to assert breach of the duty of oversight claims in the context of cybersecurity and data privacy issues. Claimants did, in fact, subsequently raise Caremark claims in connection with the high-profile date breaches at Marriott and SolarWinds, but in each case, the Delaware Chancery Court granted the defendants’ motions to dismiss (as discussed here and here, respectively), raising questions about the viability of duty of oversight claims in the cybersecurity context.

Notwithstanding the less than promising track record for these kinds of claims, in a recent article, NYU Law Professor Jennifer Arlen argues that cybersecurity-related claims for breach of the duty of oversight should support Caremark liability in at least one class of cases – that is, cases relating to companies for whom cybersecurity is a “mission critical legal risk” and in which it is alleged that the company had inadequate cybersecurity that risked (and later caused) substantial harm to businesses and government agency customers, and that the company had misled the customers through statements that were designed to defraud the customers into believing that the company’s cybersecurity systems were materially better than they were. Professor Arlen’s March 18, 2025, post on the Harvard Law School Forum on Corporate Governance about Caremark claims in the cybersecurity context can be found here.Continue Reading Cybersecurity and the Duty of Oversight

In what seems is likely to be the last cybersecurity-related enforcement action by the SEC under outgoing chair Gary Gensler, the agency has brought a settled enforcement action against asset management firm Ashford, Inc., alleging that the company made misrepresentations in its periodic reporting documents about a cybersecurity-related incident at the firm. As discussed below, the action raises questions about what may come next as far as SEC cybersecurity-related enforcement under the new administration. A copy of the SEC’s January 13, 2025, complaint in the enforcement action can be found here. The SEC’s January 13, 2025, press release about the action can be found here.Continue Reading SEC Files Cyber Disclosure Enforcement Action Against Asset Manager

Earlier this week, the SEC announced that it had filed settled charges against four companies for alleged misleading disclosures concerning cybersecurity incidents at the companies. The charges against the companies arose out of the SEC’s investigation of companies potentially affected by the compromise of SolarWinds’ Orion software. One of the four companies was additionally charged with disclosure controls and procedures violations. Without admitting or denying the SEC’s charges, each company agreed to the entry of a cease-and-desist order against them. The companies agreed to pay civil penalties ranging from $4 million to $990,000. The SEC’s October 22, 2024, press release about the charges against the four companies can be found here.Continue Reading SEC Charges Four Companies for “Downplaying” Cyber Incidents

In a move that may set a record for hacking chutzpah, a cyber ransom gang has filed a complaint with the SEC reporting that a company they hacked had failed to report the incident to the SEC within the time required by the agency’s new cybersecurity disclosure guidelines. The gang apparently filed the complaint after the hacked company failed to respond to the hackers’ ransom demand. The hacking incident and the SEC report were first reported in a November 15, 2023, post on the DataBreaches.net site, and further detailed in a November 15, 2023, post on the BleepingComputer.com site.Continue Reading Hackers Complain to SEC Company They Hacked Failed to Disclose the Incident

In what the Wall Street Journal called a “milestone” in the SEC’s efforts to address public companies’ cybersecurity disclosures, the SEC has filed a civil enforcement action against software company SolarWinds and its Chief Information Security Officer, Timothy Brown. The agency alleges that the company repeatedly misled investors by understating the company’s cyber vulnerabilities and the ability of hackers to penetrate the company’s systems. According to statements from agency officials, the action is intended to send a message about cybersecurity disclosures and disclosure controls. A copy of the SEC’s complaint can be found here. A copy of the SEC’s October 30, 2023, press release about the action can be found here.Continue Reading SEC Files Cybersecurity Disclosure Suit Against SolarWinds and Exec