Insurers and their insureds continue to face a growing patchwork of laws and regulations regarding the components of their cybersecurity programs, as well as the necessary steps following an incident.  At the state level, NYDFS finalized revisions to its Part 500 Cybersecurity Regulation at the end of 2023.  The amendment to Part 500 created new and enhanced requirements for large companies.  Meanwhile, companies must also navigate state privacy laws, and variations on the NAIC Insurance Data Security Model Law 668 adopted by several states.

At the federal level, the SEC has been busy with the rollout of its 2023 disclosure rules and amendments to Regulation S-P, which governs broker-dealers and other financial institutions.  The FTC also amended the GLBA’s Safeguard Rule, adding breach reporting requirements to requirements for the safeguarding of customer financial information.

The increased scrutiny on cybersecurity from lawmakers and regulators has practical implications and operational impacts.  In order to manage their various cybersecurity compliance obligations, companies may have an increased need for internal documentation of risk assessment, policies, and response plans.  Additionally, regulators want to see empowered CISOs, along with ownership of cybersecurity risks at the at the highest levels of company leadership, including the CEO and Board.  This emphasis on personal accountability is evident in the pre- and post-incident disclosure requirements now imposed on companies.

These heightened legal standards carry increased litigation risks.  Class actions arising out of cyber incidents were already on the rise.  The NYDFS has staked out aggressive positions in its enforcement actions, seeking up to $1,000 per violation.  Now companies may also face an increased likelihood of enforcement actions, shareholder suits, whistleblower retaliation suits, and individual executive liability.

Increased litigation risks and complexities have potential impacts on the insurance coverage available for such risks across policy lines.  With these new regulations, companies may face an increased likelihood of D&O risks such as shareholder suits and individual executive liability arising out of inadequate or misleading disclosures.  The SEC’s new requirements for annual 10-K filings setting forth cybersecurity processes and risk management oversight could lead to EPLI exposure in the form of whistleblower retaliation suits.

Of course, cybersecurity risks implicate cyber coverages, and the fluid regulatory landscape may lead to coverage disputes.  As regulators mandate the implementation of specific cybersecurity safeguards, the maintenance of documentation, and periodic disclosures, insurers may have more information to review, in the course of a coverage investigation, that includes an analysis of any one of several exclusions.  Some cyber insurers exclude coverage for claims resulting from an insured’s failure to maintain certain minimum processes, which regulators or litigants may also allege.  Misleading or inaccurate disclosures could implicate a dishonest acts exclusion.  The heightened focus on what the CISO or other high-level executives knew about a cybersecurity vulnerability and when they knew it could be highly relevant to coverage under a policy granting or excluding coverage based on circumstances at the policy’s inception date.

The new and amended rules discussed above encourage financial services companies, including insurers, to build a culture of cybersecurity compliance, starting at the Board and c-suite levels.  The evolving legal and regulatory landscape in the area of cybersecurity means that insurers face an evolving risk landscape and the potential for increased litigation.  Insurers covering cyber risks in the market should be especially mindful of the disclosure and certification requirements incorporated into recent rules in reviewing policy applications and claims.

Meet the Authors

Headshot of Natalie Limber.Natalie Limber

Natalie Limber is counsel in Dentons’ Los Angeles office. She has a broad range of combined law firm and in-house experience with a focus on serving the legal and regulatory needs of the insurance industry.

 

 

Headshot of Kathleen McCain.Kathleen McCain

Kathleen McCain is a partner in Dentons’ Los Angeles office. She has more than 30 years of experience guiding clients through insurance transactions and regulatory issues.

 

 

 

Headshot of Todd Daubert. Todd Daubert

Todd Daubert is a partner in Dentons’ Washington, DC office and is chair of the firm’s Communications and Technology sectors, and leader of the US Privacy and Cybersecurity team. He has two decades of experience helping companies develop, deploy, improve and protect their technology, telecom, and data products and services.

 

Headshot of Sabrina Chow.Sabrina Chow 

Sabrina Chow is an associate in Dentons’ Orange County office. She is a member of the Commercial Litigation practice, focusing on insurance dispute resolution and litigation.

News Type

PLUS Blog

Business Line

Cyber Liability

Topic

Professional Liability (PL) Insurance

Contribute to

PLUS Blog

Contribute your thoughts to the PLUS Membership consisting of 38,000+ Professional Liability Practitioners.

Related Podcasts

Related Articles