The following article was first published in Advisen's inaugural as my first regular column. The second Journal was published on 15 June and is available from Advisen at http://corner.advisen.com/journals.html (here). I will republish my second column in the coming days.
Many who underwrite or broker insurance, or practice law in the cyber/technology/privacy ("CTP") realm migrated to this emerging area from the directors and officers liability regime. At the same time, it did not take a crystal ball to recognize that it was only a matter of time before CTP and D&O found a commonality. And that time is now.
Virtually every public and private company is reliant on computer networks and electronic data. It's a way of life in the 21st Century. And there's no going back. Yet with reliance comes risk. It seems we read about significant CTP breaches involving large, multinational companies almost on a weekly basis. CTP breaches have become a well-recognized risk of doing business. Estimates project that over 10 percent of us already have been hacked or had their identities stolen. I am among them.
In light of the growing frequency—and severity—of such breaches (whether by hackers, hacktivists, foreign governments, teenagers or simple thrill-seekers), legislators and regulators alike are taking a much harder look at CTP risks and exposures. There have already been securities fraud lawsuits arising from alleged CTP events.
In one case,In re: Heartland Payment Systems (D.N.J. Dec. 07, 2009), a motion to dismiss was granted where the court found that the existence of unresolved network security issues did not, in itself, suggest that the defendants did not value data security or that it did not maintain a high level of security. The court further found that while knowledge of a prior cyber attack may have been material to plaintiffs' investment decisions, securities issuers have no general duty to disclose every material fact to investors. (See related textbox, "D&O, Cyber Intersect: The First Case," for background on the Heartland securities class action.)
More recently, the well-publicized securities fraud class action lawsuits against News Corp. arising from the London hacking scandal provides another example of what likely will become a growing trend of D&O litigation involving CTP issues.
Thus, it should be no surprise that on October 13, 2011, the SEC's Division of Corporate Finance (DCF) issued a Disclosure Guidance identifying the types of information public companies should consider disclosing to their shareholders about cyber risks and events that could have a material financial or operational impact. While it is noteworthy that the DCF has cautioned that the Disclosure Guidance only represents its own views and "is not a rule, regulation, or statement of the Securities and Exchange Commission and that "the Commission has neither approved nor disapproved its content," such cautionary comments should be taken with a grain of salt, in my view.
YOU be the officer or director of a company that does not "comply" with the DCF's "recommendations" or ignores the "materiality" element and see how that works out for you.
Indeed, the DCF emphasizes that existing disclosure rules already require registrants to consider their cybersecurity risks and disclose them "as necessary" to provide "timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision."
The DCF's Guidance references a "rogue's gallery" of cyber crimes, including malicious or unauthorized access, denial of service attacks, and phishing, among other events. It is beyond the scope of this commentary to rehash the particulars of the Guidance in detail. Instead, it is my intent here (and in future columns) to tell you things that you might not read or hear elsewhere.
In this case, it is my view that notwithstanding that the Guidance purports to apply only to public companies (and then, ostensibly, is only a "suggestion"), de facto, it applies to virtually every company, public or private, large or small, with or without an IT department, that wants to thrive and grow in the Cyber-age.
Why do I say this?
Consider the not so hypothetical situation involving a public company which knows that there are shareholder plaintiffs' firms salivating at the thought of suing it for securities fraud. Obviously, the prudent course of action would be for the company to adopt a proactive approach to "suggested" disclosures, allocating resources to its potential cyber risks and exposures. (Hello, forensic and data security experts and lawyers!)
It stands to reason that the public company will require its business partners, suppliers, vendors and others to provide it with parallel disclosures in order to avoid being sued for those companies' failings. As a result of such a practical approach, privately-held entities that have dealings with public companies may indirectly find themselves subject to the Guidelines in order to maintain their competitive footing in the market.
But it doesn't stop there. Let's say you are a private company that doesn't do business with public companies. You might say to yourself, this doesn't have anything to do with me. Well, maybe. Or maybe not. What happens if you deal with customers or clients, which also have actual or potential business dealings with public companies? And let's imagine you compete with those public companies for the client's or customer's business. If you're the client or customer, and your prospective public company business associate provides you with all of their cyber-related disclosures, won't you want similar disclosures from potential private company partners and providers and vendors—irrespective of whether the Guidance applies to them?
If you're that private company submitting an RFP or other business proposal and your prospective customer or client asks for that information, what do you say? I don't have it? I don't have to do it? Or, quite simply, no?
Good strategy. It is a good way to virtually ensure you'll lose the deal. Particularly if the prospective partner wants an indemnity or hold harmless you aren't in a position to give because you don't know what exposures you're potentially buying.
So what is the only feasible solution other than to just shut down your business or deal only with those (quickly decreasing number of) companies that are unaware of or don't care about cyber risks and exposures? In my view, the right move would be for your company to evaluate and get its arms around its own cyber risks and exposures—and to be in a position to address them with the potential client or customer.
Why is this important to cyber and tech underwriters, brokers and others?
It's obvious, right? Underwriters should be seeing increased submissions from companies of all stripes in all sectors and business segments, be they public or private. And they should be beating the bushes with retail and wholesale brokers to educate them about the risks. The brokers, then, should be knocking down their clients' doors to educate them about this development and impress on them the value of cyber/tech insurance.
If things go as they should, scores of new policies will be written and dramatically increased premium will be generated, which, of course, is good for everyone, including, most importantly, our clients.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.