The U.S. Security and Exchange Commission’s (SEC) Division of Corporate Finance issued guidance last October regarding a company’s responsibility to make certain disclosures related to cyber security risks and incidents. Although the requirement to disclose material exposures and risks is not new, the SEC’s guidance on the matter likely caught many directors and officers by surprise. 

Corporate leaders were advised that they should be as careful and diligent about their duties regarding cyber security risks as they are with other operational risks facing their organizations that may require disclosure to the investment community.

“Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents,” the SEC said in its October 13, 2011, guidance.

Until then, many directors and officers viewed cyber security as an information technology (IT) department issue, or perhaps a general counsel issue if they operated in a heavily regulated industry. Now that it has been elevated to the boardroom,  corporate leaders need to know more than whether a network breach or computer failure could happen to the organization. They need to know what the likelihood is of an incident occurring, and they need to be familiar with the firm’s actions and plans to mitigate its exposure.

The risk manager is one individual that leadership is likely to reach out to for answers. Questions will vary, but risk managers should be prepared to discuss their organizations’ cyber risk management practices and to answer such questions as:

• What information do we handle, collect, or store? What do we do with data or information that we no longer need?
• How do we share information—internally and with our trading partners, vendors, and customers?
• How do we control access to our systems? How do we verify who is logging in?
• How do we control what software is running on our devices?
• How dependent are we on third parties for our critical infrastructure?
• How are we using the cloud?
• How prepared are we to deal with a system outage or breach?

Disclosing Insurance Coverage

In its guidance, the SEC notes that depending on a public company’s particular facts and circumstances—and to the extent of materiality— appropriate disclosures may include “a description of relevant insurance coverage.” Risk managers need to be prepared to answer questions from their directors and officers about whether the firm’s insurance coverage provides adequate protection in the event an incident occurs.

It will be important for risk managers to explain that the rapid evolution of privacy and security risks means that many traditional forms of insurance may not be able to adequately respond to these exposures. For example:

• General liability policies often do not provide coverage for damage to electronic data, criminal or intentional acts of insureds or their employees, or pre-claim expenses.
• Property policies typically limit coverage to damage to and/or loss of use of tangible physical property resulting from a physical peril, and to damage to tangible property only at specific locations. Several insurers expressly exclude coverage for any damage to data.
• Fidelity/crime policies generally limit coverage to direct loss from employee theft of money, securities, or other tangible property. Even broadened coverage under a computer crime extension often limits coverage to the cost of re-collecting or restoring the damaged or corrupted data. Often these policies will expressly exclude coverage for actual theft of data or information.
• Errors and omissions policies often limit coverage to claims arising from negligence in performing specifically defined services and exclude coverage for criminal or intentional acts of insureds or their employees and pre-claim expenses associated with a privacy breach.

Cyber insurance policies can fill many of the gaps in traditional insurance and provide direct loss and liability protection for risks created by the use of technology and data in an organization’s day-to-day operations. Policies can be customized to include any or all of the following coverages:

• privacy and computer security;
• information asset;
• business interruption, including extra expense;
• cyber crime;
• cyber extortion;
• criminal reward fund; and
• crisis management.

Having a robust cyber insurance policy in place can provide protection not only from the high costs associated with responding to a cyber breach, but also from the litigation and indemnity costs after a cyber incident occurs. It can also go a long way in giving investors the knowledge and comfort they need should the firm have to disclose its cyber security risks or a specific incident.   

To learn more about the changing landscape of network and technology risks and how best to mitigate the exposure, join Marsh’s upcoming New Reality of Risk webcast, “Cyber Risks, the SEC, and the Boardroom,” to be held Wednesday, March 14, 2012, at 11:00 a.m. (ET).

Name (required) Name Is Required

Email (required) Email Is Required Invalid Email Address

Website

Comment Is Required

Enter the code shown above:

Notify me of followup comments via e-mail