Its not often that worlds collide or that interests converge into one amorphous epiphany. But that's exactly what happened to me recently, when the Division of Corporate Finance (DCF) of the U.S. Securities and Exchange Commission (SEC) issued a Disclosure Guidance identifying the types of information public companies should consider disclosing about cyber risks and events that could impact their financial statements. Now, the DCF has cautioned that the Disclosure Guidance only represents its own views and "is not a rule, regulation, or statement of the Securities and Exchange Commission." The DCF also emphasizes right up front that "the Commission has neither approved nor disapproved its content." Yeah, right. YOU be an officer or director or officer of a company that does not "comply" with the DCF's "recommendations."
So, you're probably asking yourself, (self:) why the heck is Bortnick so effusive about the issuance of the Disclosure Guidance beyond the obvious? Well, here's the Cliff Notes version. As a young(er) man, I majored in college in broadcast journalism. I then worked at radio and television stations in Boston, but quickly realized that I had a face for radio, which didn't pay well. Recognizing that my greatest asset was my ability to communicate, I concluded that I should become a lawyer. In fact, a communications/first amendment/privacy lawyer. So, that is what I set out to do. I went to Villanova Law School, worked at the National Association of Broadcasters in Washington, and was all set to meet my destiny. But, alas, it was not to be. At almost the same time I graduated from law school, then-President Reagan decided to deregulate the communications industry and slapped a hiring freeze on at the Federal Communications Commission. Where I had a job waiting. Where I had accepted an offer in its Fairness Division (which regulated political speech and related First Amendment issues). As a result,my "job" was on-hold. But my life wasn't. I needed to work.
To make a long story short, I worked for a spell at the U.S. Department of Labor in Washington, then moved back to Philadelphia, where I joined a large firm doing antitrust litigation. With respect to which the Reagan Administration also had taken a laisse faire approach. Having yet again been thwarted by those pesky bureaucrats, I began to practice insurance law in 1990. I immediately migrated to securities law and D&O, which seemed to me to be as interesting and sophisticated as antitrust had been. Now, bear in mind that we're talking about 1990. D&O was out there, but it was by no means the dynamo it is today. So, I taught myself securities law, claims made issues, D&O policies, and the like, and began to handle D&O claims and draft D&O policies.
Okay. Stay with me now. Here's where the point comes in. In the mid-90s, I began handling Financial Loss and privacy-related claims for London underwriters. And started drafting policies and wordings. Which lead me to cyber and technology law. And, to bring it all around, to this blog. Where we discuss cyber and technology issues. As well as D&O issues, where relevant (see here and here). As such, the Disclosure Guidance conflates my two professional passions (yeah, I'm a geek), cyber and securities law, into one scintillating dynamic.
Having now provided you with an outline of my still-unwritten autobiography, treasured reader, you're probably asking yourself if I have anything substantive to say on the subject beyond that which has been written by the plethora of other lawyers and commentators who (in my cynical view, which evolved from the foregoing life-experience) are regurgitating the content of the Disclosure Guidance without adding much substance or analysis beyond "comply," or "call me to help." (which isn't bad if your goal is marketing, but not so much if you actually want to add value).
Here's the value added feature we at Cyberinquirer always strive to provide: the Disclosure Guidance, de facto, applies to virtually every company, public or private, large or small, with or without an IT department, that wants to thrive and grow in the Cyber-age. Notwithstanding that it ostensibly is only a "suggestion," and then only with respect to public companies. And despite the SEC's caveat that it does not approve or disapprove its content.
Why do I say this? Well, think about it. If you are a public company which knows that there are shareholder plaintiffs' firms salivating at the thought of suing your company for securities fraud, aren't you going to be proactive, allocate resources to your potential cyber risks and exposures (hello, forensic and data security experts!), and make the "suggested" disclosures? If you're smart you will. And, if you're the same public company, won't you want your business partners, suppliers, vendors and others to provide you with the exact same information you are compiling so that you know they too are "complying" and that you (likely) won't be sued for that company's failings? And if you are a private company that deals with public companies, aren't you going to do this, lest you lose your partnership or your contract? Of course you are.
But it doesn't stop there. Let's say you are a private company that doesn't do business with public companies. You might say to yourself, this doesn't have anything to do with me. Well, maybe. Or maybe not. How about if you deal with customers or clients which also have actual or potential business dealings with public companies. And let's imagine you compete with those public companies for the client's or customer's business. If you're the client or customer, and your prospective public company business associate provides you with all of their cyber-related disclosures, won't you want similar disclosures from potential private company partners/providers/vendors? Irrespective of whether the Disclosure Guidance applies to them? If you're that private company submitting an RFP or other business proposal and your prospective customer/client asks for that information, what do you say? I don't have it? I don't have to do it? Or, quite simply, no? Good strategy. Way to virtually ensure you'll lose the deal. Particularly if the prospective partner wants an indemnity and/or hold harmless you aren't in a position to give because you don't know what exposures you're potentially buying.
So, what's the only feasible solution other than to just shut down your business or deal only with those (quickly decreasing number of) companies that are unaware of or don't care about cyber risks and exposures? In my view, the right move would be for your company to evaluate and get its arms around its own cyber risks and exposures. And be in a position to address them with the potential client/customer.
Why is this important to cyber and tech underwriters ? (here's where we justify the title of this article). Its obvious, right? Underwriters should be seeing increased submissions from companies of all stripes in all sectors and business segments, be they public or private. And, they should be beating the bushes with retail and wholesale brokers to educate them about the risks. And the brokers then should be knocking down their clients' doors to educate them about this development and impress on them the value of cyber/tech insurance. If things go as they should, ta da, scores of new policies will be written and dramatically increased premium will be generated. Requiring, of course, the need... for... lawyers.....Cyber lawyers. Tech lawyers. And bloggers.
Ladies and gentlemen, go get 'em.
www.cozen.comThe content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
