Danielle Roth is Head of Cyber and Technology Claims for AXA XL, a division of global insurer AXA.
After a number of significant cyber incidents and software vulnerabilities made headlines in 2020 and 2021, cyber risk, and all its potential connected liabilities, has everyone’s attention.
Federal and state regulators are requiring more attention be paid to it:
- In May 2021, for instance, President Biden signed an executive order establishing baseline cybersecurity standards for U.S. agencies and software contractors, mandating multifactor authentication, endpoint detection and response, data encryption, a skilled internal security team, among other best practices.
- Anne Neuberger, cybersecurity adviser at the National Security Council, sent an open letter to business leaders warning them to step up security measures to protect against ransomware attacks, reiterating the best practices from the May 2021 Executive Order.
- After the Log4j software vulnerability was announced, the Federal Trade Commission (“FTC”) warned companies that a failure to mitigate known software vulnerabilities implicates various laws, including the Federal Trade Commission Act and the Gramm Leach Bliley Act.
- The Securities and Exchange Commission (SEC), which already had data protection and other security requirements in place for the financial entities that it regulates, recently proposed more ambitious cybersecurity regulations. These financial entities, such as investment companies, investment advisers, and business development companies (funds), as well as publicly traded companies, considered part of society’s vital infrastructure, continue to be valuable targets for cybercriminals.
The SEC, in particular, has stepped up its proposed regulation and enforcement activities. In June 2021, the SEC announced settled charges against a real estate settlement services company for violations related to a cybersecurity vulnerability that exposed sensitive customer information. In mid-2021, the SEC also initiated an investigation of the reported SolarWinds compromise, sending letters to hundreds of companies that may have downloaded the vulnerable software update, asking for records relating to that incident as well as “any other” data breach or ransomware attack since 2019.
A growing C-suite concern
Given recent regulatory changes and enforcement activities, it is not surprising that executives are expressing more concern about cyber risk.
Executives are more aware than ever that their companies need to take action to avoid more than just a computer network disruption. A cyber incident can trigger class actions, claims, reputational damage and potentially raise other professional liability issues with securities or derivative litigation.
According to my AXA XL Claims colleague, Tricia Melly, who leads our Professional claims team, “In addition to allegations regarding the timing of discovery of the incident and its public disclosure, shareholders may allege misstatements or omissions concerning the overall cybersecurity of the company, and/or the adequacy of the company’s processes and procedures following an incident to limit impact and information flows to top executives and the board.”
These types of incidents need the full attention of the company leaders, board, and officers. C-suite executives are wise to engage with cyber experts to better prepare their organization for a cyberattack, having plans in place that can minimize financial impacts of a cyber incident and possibly avoid costly lawsuits down the road.
While a cyber insurance policy may provide coverage for remediation costs in the event of a breach, it does not provide coverage for a securities related matter, which would fall under a directors & officers (D&O) liability policy. That’s why companies, and their brokers and insurers, need to pay careful attention to their insurance portfolio and work to understand how various coverages may react in the various claims situations that can arise as a result of a cyber incident.
The right insurance is important but having robust cybersecurity policies and procedures in place may be even more important. Strong cybersecurity is prerequisite when buying cyber insurance, and it may also help defend executives and the board from allegations that not enough attention was given at the top of the company to cybersecurity should a securities or derivative claim follow a cyber incident.
Active executive involvement is a must. To protect the board from breach of duty or oversight claims related to a cyber incident, companies should carefully and regularly review the board’s practices toward minimizing cybersecurity risks and consider conducting a recurring review of the existing cybersecurity systems, among other actions, to demonstrate that cybersecurity taken seriously at all levels of the organization.
Fortunately, access to pre-vetted vendors and service providers is often a valuable part of cyber insurance coverage and can be helpful in assessing a company’s current security posture, providing enhancement recommendations and, of course, helping to address a breach should one occur.