Home · Security · Cybersecurity Insurance to Mitigate Cyber-Risks and SEC Disclosure Obligations

Cybersecurity Insurance to Mitigate Cyber-Risks and SEC Disclosure Obligations

Long a concern of information security specialists, the potential for material economic losses from internet-based intrusion has finally struck a chord in the investment community. Reports of a serious, nearly decade long, external penetration into information intended for only the most senior executives at Nortel Networks Ltd. has been one of the few public examples in which a company’s overall value has been compromised. In response to this risk for publicly traded companies, the Securities and Exchange Commission has issued informal guidance (“SEC Guidance” or “Guidance”) outlining cybersecurity disclosure obligations, requiring registrants to disclose their vulnerabilities and cyber-incidents and their cybersecurity plans, including what form of insurance, if any, they have.

As the Guidance notes, cybersecurity insurance may serve to mitigate financial risks and limit a company’s disclosure obligations by incentivizing companies to comply with best practices and reducing the harm of potential attacks. Comprehensive cybersecurity insurance can minimize the fallout from an actual cyber-incident and can serve to decrease the likelihood of a potential attack. That being said, it seems that only a fraction of companies have insurance to cover losses arising from a cyber-attack. Indeed, many rely upon more general policies, whose coverage over cybersecurity incidents seems to be, at best, unclear. For instance, Sony Corp. of America’s insurer, Zurich American Insurance Co., filed suit against Sony alleging that its policy only covered property damages and other tangible losses, not the harm caused from a cyber-attack.

President Obama’s Executive Order 13636 (Feb. 12, 2013) has now mandated the development of a national “Cybersecurity Framework” and programs to encourage voluntary adoption of the framework, directed the Secretary of Homeland Security to designate those critical infrastructure companies at greatest risk, and created a framework for increased threat information sharing with critical infrastructure companies.3 In light of these significant changes in the cybersecurity landscape, more companies are looking for insurance products that mitigate their risk and thereby enable them to assure investors that this risk is being appropriately managed.

Cyber-Incidents Raise Awareness in the Investment Community Adm. Mike Mullen, chairman of the Joint Chiefs of Staff, stated that the United States faces two existential threats. One is nuclear weapons, and the other is cybersecurity. Cybersecurity, however, is not only a national security concern; it is also a financial concern. Companies worldwide lose an estimated $1 trillion per year due to cyber-attacks and data losses. These losses are not merely breaches of controls over personal information, but also the theft of next-generation designs, bidding strategies, customer lists, and algorithms. A quarter of organizations have suffered a data breach or loss in the last year, averaging more than $1.2 million per incident. According to the Office of the National Counterintelligence Executive, many of the threats come from foreign, perhaps state-supported, economic espionage in securing data pertaining to communications technology, military equipment, civilian and dual-use technologies, health care and pharmaceuticals, agriculture technology, energy and natural resources, and macroeconomic trends and forecasts. In addition, nonstate actors threaten to disrupt business operations to fulfill political activist objectives or procure sensitive data for third parties. More...

08-27-2013 22:13