Cyber Liability

Subscribe to Cyber Liability via RSS
Sarah Abrams

In the following guest post, Sarah Abrams, Head of Claims Baleen Specialty, a division of Bowhead Specialty, takes a look at recent changes in the DOJ’s Data Security Program (DSP) and discusses the D&O liability and insurance implications. I would like to thank Sarah for allowing me to publish her article as guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Sarah’s article.Continue Reading Guest Post: Company Data Secure? The DOJ is Checking

A new wave of AI-powered scams is targeting companies by impersonating their most trusted leaders – the CEO, the CFO, and other senior executives. Cybercriminals are now using generative AI tools to create hyper-realistic video and audio deepfakes of company executives to trick lower-level employees into handing over millions of dollars in cash, critical data, and other business assets. While these kinds of scams aren’t necessarily new, AI language and image models are making the scams increasingly effective and more prevalent, according to a recent Wall Street Journal article. The August 18, 2025, article, entitled “AI Drives Rise in CEO Impersonator Scams,” can be found here.Continue Reading The Growing Threat of AI Deepfake Attacks

Well-advised companies know that among their key corporate risks are potential liability exposures arising from or related to cybersecurity. A recent U.S. Department of Justice enforcement action highlights the fact that corporate cybersecurity risk may take a number of forms, including, as was the case in the recent matter, potential False Claims Act (FCA) liability for cybersecurity vulnerabilities in products sold to the federal government. The fact that the recent case, involving life sciences company Illumina, settled for $9.8 million, underscores the seriousness of this cybersecurity-related liability FCA exposure.Continue Reading Cybersecurity and False Claims Act Liability Exposure

In the immediate aftermath of the Delaware Supreme Court’s 2019 decision in Marchand v. Barnhill, which revitalized so-called Caremark claims for breach of the duty of oversight, one question I was asked was whether claimants might seek to assert breach of the duty of oversight claims in the context of cybersecurity and data privacy issues. Claimants did, in fact, subsequently raise Caremark claims in connection with the high-profile date breaches at Marriott and SolarWinds, but in each case, the Delaware Chancery Court granted the defendants’ motions to dismiss (as discussed here and here, respectively), raising questions about the viability of duty of oversight claims in the cybersecurity context.

Notwithstanding the less than promising track record for these kinds of claims, in a recent article, NYU Law Professor Jennifer Arlen argues that cybersecurity-related claims for breach of the duty of oversight should support Caremark liability in at least one class of cases – that is, cases relating to companies for whom cybersecurity is a “mission critical legal risk” and in which it is alleged that the company had inadequate cybersecurity that risked (and later caused) substantial harm to businesses and government agency customers, and that the company had misled the customers through statements that were designed to defraud the customers into believing that the company’s cybersecurity systems were materially better than they were. Professor Arlen’s March 18, 2025, post on the Harvard Law School Forum on Corporate Governance about Caremark claims in the cybersecurity context can be found here.Continue Reading Cybersecurity and the Duty of Oversight

In what seems is likely to be the last cybersecurity-related enforcement action by the SEC under outgoing chair Gary Gensler, the agency has brought a settled enforcement action against asset management firm Ashford, Inc., alleging that the company made misrepresentations in its periodic reporting documents about a cybersecurity-related incident at the firm. As discussed below, the action raises questions about what may come next as far as SEC cybersecurity-related enforcement under the new administration. A copy of the SEC’s January 13, 2025, complaint in the enforcement action can be found here. The SEC’s January 13, 2025, press release about the action can be found here.Continue Reading SEC Files Cyber Disclosure Enforcement Action Against Asset Manager

Earlier this week, the SEC announced that it had filed settled charges against four companies for alleged misleading disclosures concerning cybersecurity incidents at the companies. The charges against the companies arose out of the SEC’s investigation of companies potentially affected by the compromise of SolarWinds’ Orion software. One of the four companies was additionally charged with disclosure controls and procedures violations. Without admitting or denying the SEC’s charges, each company agreed to the entry of a cease-and-desist order against them. The companies agreed to pay civil penalties ranging from $4 million to $990,000. The SEC’s October 22, 2024, press release about the charges against the four companies can be found here.Continue Reading SEC Charges Four Companies for “Downplaying” Cyber Incidents

In a move that may set a record for hacking chutzpah, a cyber ransom gang has filed a complaint with the SEC reporting that a company they hacked had failed to report the incident to the SEC within the time required by the agency’s new cybersecurity disclosure guidelines. The gang apparently filed the complaint after the hacked company failed to respond to the hackers’ ransom demand. The hacking incident and the SEC report were first reported in a November 15, 2023, post on the DataBreaches.net site, and further detailed in a November 15, 2023, post on the BleepingComputer.com site.Continue Reading Hackers Complain to SEC Company They Hacked Failed to Disclose the Incident

In what the Wall Street Journal called a “milestone” in the SEC’s efforts to address public companies’ cybersecurity disclosures, the SEC has filed a civil enforcement action against software company SolarWinds and its Chief Information Security Officer, Timothy Brown. The agency alleges that the company repeatedly misled investors by understating the company’s cyber vulnerabilities and the ability of hackers to penetrate the company’s systems. According to statements from agency officials, the action is intended to send a message about cybersecurity disclosures and disclosure controls. A copy of the SEC’s complaint can be found here. A copy of the SEC’s October 30, 2023, press release about the action can be found here.Continue Reading SEC Files Cybersecurity Disclosure Suit Against SolarWinds and Exec

On July 26, 2023, a divided SEC adopted, by a 3-2 vote, final rules for cybersecurity disclosures. The final rules are based on proposed rules the agency first introduced in March 2022. The rules require companies to disclose material cybersecurity incidents they experience, and also to disclose on an annual basis material information regarding their cybersecurity risk management and governance. The rules will have a significant impact on reporting companies’ disclosure practices and could present a challenge for some companies. A copy of the final cybersecurity disclosure rules can be found here. The SEC’s July 26, 2023, press release about the final cybersecurity disclosure rules can be found here. The SEC’s two-page fact sheet about the new rules can be found here.Continue Reading SEC Adopts Final Cybersecurity Disclosure Rules

On March 9, 2022, the SEC finally released its long-anticipated updated cybersecurity disclosure requirements. The proposed rules, inclusive of specifications both for incident reporting and for risk management and governance disclosure, were adopted by a 3-1 vote and are now subject to a public reporting period. The new rules, which the Commission’s press release says are “designed to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents,” underscore the Commission’s emphasis on cybersecurity reporting and disclosure issues.

The SEC’s March 9, 2022 press release about the proposed new rules can be found here. The Commission’s two-page “fact sheet” about the new rules can be found here. The Commission’s 129-page proposing release can be found here. Cydney Posner’s March 9, 2022 post on the Cooley law firm’s PubCo blog about the proposed rules can be found here.
Continue Reading SEC Proposes New Rules for Cybersecurity Disclosure and Incident Reporting Rules