March 28, 2022
Cyber Risk has Everyones Attention
After a number of significant cyber incidents and software vulnerabilities made headlines in 2020 and 2021, cyber risk, and all its potential connected liabilities, has everyone’s attention.
Federal and state regulators are requiring more attention be paid to it:
- In May 2021, for instance, President Biden signed an executive order establishing baseline cybersecurity standards for U.S. agencies and software contractors, mandating multifactor authentication, endpoint detection and response, data encryption, a skilled internal security team, among other best practices.
- Anne Neuberger, cybersecurity adviser at the National Security Council, sent an open letter to business leaders warning them to step up security measures to protect against ransomware attacks, reiterating the best practices from the May 2021 Executive Order.
- After the Log4j software vulnerability was announced, the Federal Trade Commission (FTC) warned companies that a failure to mitigate known software vulnerabilities implicates various laws, including the Federal Trade Commission Act and the Gramm Leach Bliley Act.
- The Securities and Exchange Commission (SEC), which already had data protection and other security requirements in place for the financial entities that it regulates, recently proposed more ambitious cybersecurity regulations. These financial entities, such as investment companies, investment advisers, and business development companies (funds), as well as publicly traded companies, considered part of societys vital infrastructure, continue to be valuable targets for cybercriminals.
The SEC, in particular, has stepped up its proposed regulation and enforcement activities. In June 2021, the SEC announced settled charges against a real estate settlement services company for violations related to a cybersecurity vulnerability that exposed sensitive customer information. In mid-2021, the SEC also initiated an investigation of the reported SolarWinds compromise, sending letters to hundreds of companies that may have downloaded the vulnerable software update, asking for records relating to that incident as well as any other data breach or ransomware attack since 2019.
A growing C-suite concern
Given recent regulatory changes and enforcement activities, it is not surprising that executives are expressing more concern about cyber risk.
Executives are more aware than ever that their companies need to take action to avoid more than just a computer network disruption. A cyber incident can trigger class actions, claims, reputational damage and potentially raise other professional liability issues with securities or derivative litigation.
According to my AXA XL Claims colleague, Tricia Melly, who leads our Professional claims team, In addition to allegations regarding the timing of discovery of the incident and its public disclosure, shareholders may allege misstatements or omissions concerning the overall cybersecurity of the company, and/or the adequacy of the companys processes and procedures following an incident to limit impact and information flows to top executives and the board.
These types of incidents need the full attention of the company leaders, board, and officers. C-suite executives are wise to engage with cyber experts to better prepare their organization for a cyberattack, having plans in place that can minimize financial impacts of a cyber incident and possibly avoid costly lawsuits down the road.
While a cyber insurance policy may provide coverage for remediation costs in the event of a breach, it does not provide coverage for a securities related matter, which would fall under a directors & officers (D&O) liability policy. Thats why companies, and their brokers and insurers, need to pay careful attention to their insurance portfolio and work to understand how various coverages may react in the various claims situations that can arise as a result of a cyber incident.
Cyber preparedness
The right insurance is important but having robust cybersecurity policies and procedures in place may be even more important. Strong cybersecurity is prerequisite when buying cyber insurance, and it may also help defend executives and the board from allegations that not enough attention was given at the top of the company to cybersecurity should a securities or derivative claim follow a cyber incident.
Active executive involvement is a must. To protect the board from breach of duty or oversight claims related to a cyber incident, companies should carefully and regularly review the boards practices toward minimizing cybersecurity risks and consider conducting a recurring review of the existing cybersecurity systems, among other actions, to demonstrate that cybersecurity taken seriously at all levels of the organization.
Fortunately, access to pre-vetted vendors and service providers is often a valuable part of cyber insurance coverage and can be helpful in assessing a company’s current security posture, providing enhancement recommendations and, of course, helping to address a breach should one occur.
Danielle Roth is Head of Cyber and Technology Claims for AXA XL, a division of global insurer AXA.
News Type
PLUS Blog
Business Line
Cyber Liability
Topic
Professional Liability (PL) Insurance
Contribute to
PLUS Blog
Contribute your thoughts to the PLUS Membership consisting of 38,000+ Professional Liability Practitioners.
Related Podcasts
Demystifying AI: Episode 1
Welcome to Demystifying AI, your go-to podcast series dedicated to demystifying the…
Related Articles
Cyber University: Remarkable Event Rewind
Last week, PLUS celebrated another successful Cyber University program. This three-day virtual…
The Challenges and Opportunities of Insuring Artificial Intelligence Webinar Recap
This webinar, held on September 10th, explored how the risks posed by…
The Coverage Impacts of Recent Developments in Cyber Security Regulation for Financial Services
Insurers and their insureds continue to face a growing patchwork of laws…