Simmering Risk: Cyber Attacks and Government Investigations
First Quarter 2012
Corporate Board Member
by Charles Keenan
Corporate Board Member tapped the expertise of Chandra Reddy Metzler, president, U.S. and Canada Financial Lines, Chartis Insurance Corp., and William M. Steers, president, Gunn Steers & Co. LLC, to discuss two simmering topics for boards today.
The SEC has announced guidance regarding disclosure of insurance to cover cyber risks. Compare this to what companies were already doing under Dodd-Frank.
William Steers: Whether it’s a rule or merely guidance, in-house counsel and board members are still forced to react prudently. The SEC, boards, executives, and in-house IT staff are going to use this as a benchmark for determining how good the internal risk management is at a company. So public relations, IT, and the general counsel all have to be on the same page, in terms of disclosure, when or if a data breach occurs.
Chandra Metzler: Now more than ever, cyber security is a boardroom concern. With or without the guidance, potential material cyber-security risks need to be disclosed. The guidance highlights an increased focus on cyber-security disclosures. This is not surprising given the headlines for recent data breaches and organized bands of hackers expanding their focus; it is easy to surmise the reasons behind the SEC’s guidance in the absence of a required disclosure.
What events would trigger director liability in those cases?
Metzler: Any security breach, including the hacking of software in products or system controls, could present a potentially material exposure requiring disclosure. Nondisclosure risks SEC enforcement activity, fines, penalties and possible jail time. Also, securities or derivative litigation may follow along with expensive defense costs and potential liability for the company and personal liability for its board.
Steers: Plus, you also have reputational risk that can clearly bring down a company, in and ofitself.
On the regulatory side, we’ve seen a lot more government investigations. What’s spurring this activity?
Steers: In the aftermath of the credit crisis, the enforcement of security laws has been a top priority in both national and local governments. So there is increased vigor in terms of enforcing securities laws, as well as many new reforms like the Consumer Protection Act, which seems to give more power to the authorities in pursuing these types of cases.
Metzler: In addition, the SEC is going to be quick to respond to any public issue that may arise, from a whistleblower situation to other events. The examiners are definitely speaking to the enforcement side of the SEC much more readily, and the enforcement teams are ready to swarm to any smoke to get to the fire. In years past, those two departments within the agency did not correspond with one another regularly. But now more than ever, they are definitely in sync and working together on these issues.
So from an insurance perspective, what does this mean?
Steers: It requires us as brokers to investigate all the policies out there and be able to provide a certain amount of coverage for formal SEC investigations, which most policies have. It’s where we start getting into the informal investigations, and determining whether the entity itself is covered or whether it’s just insured individuals, that it gets tricky. The devil is in the details, which is clearly a broker’s responsibility.
Metzler: This is one of the driving reasons why D&O insurance rates are expected to rise this year. Since the SEC guidance requires disclosure of cyber-security insurance that may respond to a breach, companies that previously self-insured may find themselves in the market for responsive coverage. We have innovative policies to help meet this demand.
D&O Liability: Avoiding Legal Hot Spots
Say on Pay: Avoiding the Crosshairs
Seven Questions Directors Should Ask About D&O Coverage
M&A Liability: Post-Closing Risk
IDL: Looking Out for No. 1