Cybersecurity Litigation Review

This blog post was submitted in dialogue with the recent PLUS webinar “Cyber Risk is a D&O Risk.” You can view the recording of this webinar and past free webinars on the PLUS website here.

If you have blog content you’d be interested in submitting, please reach out to Katie Campbell at kcampbell@plusweb.org.

John Cheffers was hired to be a Director of Research for Watchdog Research in 2019 and creates content that is featured on the company blog.  He obtained his J.D. from Ave Maria School of Law in Naples Florida in 2019, where he was a member of the Law Review and graduated magna cum laude. Prior to that he worked for Audit Analytics as a Research Analyst.

Cybersecurity has gone from a niche concern to a hot topic in the D&O insurance world.  On September 23rd, this week, PLUS hosted a webinar on how companies can strategically handle cybersecurity concerns.  The speakers offered tremendous perspective on this dynamic and growing area, and we encourage everyone to listen to their fascinating conversation.

We are an independent research provider that uses an extensive database of public information to create easy-to-use reports for over 4,500 publicly traded companies.  Since we track cybersecurity incidents and all material litigation for public companies, we thought we could use this as an opportunity to provide a little color to the important discussions concerning cybersecurity.

Overview

We began by looking at incidents that occurred at companies listed on the NYSE and Nasdaq over the past ten years, and the growth rate of cybersecurity incidents is alarming: 

*The graphs and tables in this post were created by Joseph Burke, PhD, and derived the Audit Analytics database.

In 2010, only 0.1 % of companies reported a cybersecurity incident. In 2019, 2.2% of companies reported a cybersecurity incident. The growth of cybersecurity incidents over the past five years has been incredible and it is not clear when it will slow down. 

Another interesting facet is that the risk of a cybersecurity incident is much higher at a large company that it would be at a small company. Attacks on large companies are driving much of the growth in these numbers.

Cybersecurity Security Class Actions

A cyberbreach at a company creates all sorts of problems, including litigation. We identified all the security class action suits that were brought over cybersecurity issues and calculated the likelihood of being named in one of those suits. Unsurprisingly, the last ten years has shown significant growth in the risk of being named in a cybersecurity related lawsuit.

It is important to note that these percentages are for all companies.  Large cap companies have a significantly probability than is represented in the graph because they are both more likely to be the victim of a cybersecurity incident and are generally more likely to have a securities class action suit filed against them.  

Cybersecurity as a Leading and Covariate Indicator

Two of our researchers, Joseph Burke PhD and Joseph Yarbrough PhD, wrote a research paper calculating when particular flags from our reports were associated with an increased risk of securities class action litigation for 2014-2018. Companies with a cybersecurity incident were almost three times as likely to get named in a securities class action lawsuit the year that the incident occurred.

Additionally, cybersecurity incidents were one of the six leading indicators of securities class action suits.  An event is considered a leading indicator of litigation if the occurrence of that event is associated with an increased risk of litigation for the following year. 

Conclusion

The chance of being involved in a cybersecurity securities class action lawsuit is still relatively low, but it is increasing rapidly. Additionally, the risk profile is far higher for large companies, which are more likely to be a victim of a cybersecurity incident and more likely to get named in a securities class action lawsuit. 

If company boards wish to prevent having their company victimized twice (by hackers and by lawyers), then they need to make wise and strategic decisions to confront this growing threat.

Cyber Perspectives on Coronavirus: Part 2

The second installment of Cyber Perspectives on Coronavirus focuses on the risks associated with the increase in the remote workforce and the role that HR can play in a company’s cyber risk culture. View the white paper written by one of the speakers, Tom Finan, here.

Listen here to the Cyber Perspectives on Coronavirus: Part 2 discussion:

Speakers:

Gail ArkinGail Arkin, SVP, General Counsel at Berkley Cyber Risk Solutions

Gail Arkin is the General Counsel of Berkley Cyber Risk Solutions, located in  Morristown, NJ.  Her responsibilities include the development of cyber insurance products and managing all regulatory, compliance, distribution and corporate legal matters. Gail has over 20 years of insurance experience, including over 15 years developing cyber products, and previously held the positions of senior vice president & general counsel for a financial lines division, general counsel for a wholesale and retail division, and a claims officer for professional and management liability lines of insurance.

T FinanTom Finan, Cyber Growth Leader at Willis Towers Watson

Tom Finan is a Cyber Growth Leader within Willis Towers Watson’s FINEX Cyber/E&O Practice.  In this role, Tom advances the company’s integrated approach to cybersecurity across all aspects of people, capital, and technology risk.  Tom previously worked as the Chief Strategy Officer of Ark Network Security Solutions.  He also served as Senior Cybersecurity Strategist and Counsel with the Department of Homeland Security’s National Protection and Programs Directorate.  While at DHS, Tom established and led the agency’s cybersecurity insurance initiative in support of implementation of Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.”  To advance that effort, he created DHS’ Cyber Incident Data and Analysis Working Group (CIDAWG), a private-public engagement forum that examined how a cyber incident data repository could help meet the information and analysis requirements of the insurance industry and technical cybersecurity professionals.  Tom previously served as the Staff Director and Counsel for the Subcommittee on Intelligence, Information Sharing and Terrorism Risk Assessment with the U.S. House Committee on Homeland Security.

James-J-GiszczakJames Giszczak, Member at McDonald Hopkins

James is a member at the law McDonald Hopkins. He is chair of the litigation department and  co-chair of the data privacy and cybersecurity practice group. He advises clients regarding data security measures and responding to security breaches involving sensitive personal information and protected health information. He works with clients in a myriad of industries to assess and implement appropriate data security safeguards. Jim also litigates matters involving data security and data privacy, including defending single plaintiff and class action lawsuits.

Cyber University and More: PLUS’s Virtual Education

Successful Turnout at PLUS 2020 Cyber University

Last week, over 100 PLUS members attended PLUS’s virtual Cyber University. While this event has been held in-person in previous years, this year’s Cyber University was part of PLUS’s 2020 plan to provide virtual education to broader audience. Attendance for Cyber U doubled this year, and the staff at PLUS is proud to provide quality education in virtual space, especially in light of current circumstances.

This is the third year of PLUS Cyber University and registrants attended six live sessions over three days.  “The program content is incredibly strong, so the focus was on how to take an in-person event and continue to make it meaningful as a virtual one,” said Megan Moore, Director of Education and Professional Development at PLUS. Topics included: legal foundations, evolution of cyber coverage, interplay among lines, underwriting, breach responses, 1st and 3rd party claims, risk management, and breach scenarios. Moore added, “As we transfer this program to virtual, we made sure to include opportunities for attendees to reflect on what they’ve learned and apply it to their own experience as well as connect with each other outside of the session.”

Continuing to Provide Remote Education

PLUS is continuing to expand its virtual education offerings for all members. In May alone there are three top-notch webinars on a variety of professional liability topics, from the Sciabacucchi court case decision, to resolving D&O disputes virtually, to social distancing and telehealth.  Additionally, on-demand presentations from the virtual Healthcare and Medical Professional Liability Symposium are available to view, as well as Online eLearning modules for the RPLU program available to purchase. You can work through module content at your own pace, and even complete the exam entirely online!

“Over the last few years, we have been ramping up our ability to provide online and virtual education,” said Robbie Thompson, CEO of PLUS. “While PLUS will always offer outstanding in-person networking and education events, we knew that focusing on other ways members can also get professional development was critical to PLUS continuing to serve the professional liability industry.” From webinars, to the RPLU online eLearning modules, to webinar, to in-person events moved to virtual like Cyber University, PLUS is working to make education accessible no matter the circumstances.

PLUS Membership for the Win

Membership is an important aspect of PLUS, and PLUS staff has been working tirelessly (and remotely!) to provide new ways to engage members virtually.  If you are a PLUS member, you can register for any or all of the May webinars for free! If you aren’t a member yet, become one now to register for webinars, gain access to an archive of PLUS virtual education, and more. Check out previous posts on this blog to listen to PLUS’s PL Perspectives on Coronavirus podcast, and stay tuned for even more distance education offerings in the future.