cyber iss connect ith irectors and oficers · 2013-11-04 · cyber iss connect ith irectors and...
TRANSCRIPT
Cyber Risks Connect With Directors and OfficersImplications of the New SEC Guidance on Cyber Security
February 2012 • Lockton Companies, LLC
L O C K T O N C O M P A N I E S , L L C
WILLIAM BOECKSenior Vice President
Insurance & Claims Counsel816.960.9670
EMILY FREEMANExecutive Director
Technology and Media Risks011 44 20 7933 2224
CHRIS McBEESenior Vice President
Financial Services Unit Manager214.969.6727
The Securities and Exchange Commission (SEC) has changed the cyber security playing field for directors and officers. No less than the Chairman of the U.S. Senate’s Commerce Committee has said that the new guidance issued by the SEC “fundamentally changes the way companies will address cyber security in the 21st century.” He is right!
For the past five years, IT security, privacy legal professionals, and internal audit have focused on direct and indirect cyber risks. At Lockton, we have seen increasing inquiries from insurance and risk management professionals for advice and insurance. The SEC’s guidance will now require company directors and officers to pay increased attention, too.
If the business—such as a financial institution, retailer, or healthcare provider—requires the collection and use of personal financial or healthcare information, many senior executives are already aware of the liability, brand, and financial costs of data breaches. But are cyber risks just the concern of companies that deal directly with the consumer?
The SEC guidance issued in October 2011 paints a different picture, or perhaps a target, on the board of directors. It makes the boards of directors of publicly traded companies responsible for
2
assessing their company’s exposure to cyber risks, the procedures they take, and costs they incur in preventing cyber incidents.
Companies must disclose this information to investors. The guidance is detailed about what needs to be disclosed. The list is long. The guidance does not impose a new legal requirement, but that does not minimize its impact.
The disclosure guidance issued on
October 13, 2011 (the Disclosure
Guidance), by the Division of
Corporation Finance of the Securities
and Exchange Commission (SEC) can be
found here.1
In a world where cyber events are increasingly common, shareholders and the lawyers who represent them will be assessing whether disclosures are adequate in their view. When a company experiences a cyber event, its directors and officers may well find themselves in shareholder lawsuits that seek to impose liability for breaches of fiduciary duties, to assure that the company is adequately prepared for such an event, and to disclose the risks of such events to investors. The SEC’s guidance arguably creates a road map for aggrieved shareholders, and the disclosures will create significant risks for directors and officers.
So what impact does it have on board governance? And is this expanding our notion of cyber risks beyond consumer-facing companies?
The Congressional Impetus Behind the Guidance
Although the Department of Homeland Security has departmental focus and executive support for improving cyber security of U.S. critical infrastructure industries, the SEC guidance is driven by congressional concerns.
The disclosure guidance follows in the wake of a letter in May 2011 to the SEC from five members of the Senate, including John D. Rockefeller IV, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation. That letter expressed concern that “a substantial number of companies do not report their information security risk to investors,” and that “once a material network breach has occurred, leaders of publicly traded companies may not fully understand their affirmative obligation to disclose information . . .” As a result, the Senators requested that the SEC “publish interpretative guidance clarifying existing disclosure requirements pertaining to information security risk . . .”
This letter was the culmination of a 15-month investigation by the U.S. Senate Commerce Committee, kicked off by a question, “Should the SEC issue a regulation requiring companies to disclose breaches; why or why not?” The investigation examined what companies were or not reporting, what the SEC role is or could be, and could there be a positive impact not only on the cyber security of companies, but on the U.S. as a whole?
It is relatively easy for investors to see major public operational disruptions from customer data breaches.
February 2012 • Lockton Companies, LLC
3
The well-publicized breaches involving T.J. Maxx and the Sony PlayStation are good examples. Class action lawsuits, notification of data breaches to customers, and privacy regulatory investigations are also public events.
The Commerce Committee’s investigation focused on something more difficult to see. How can companies or investors measure or even discover the theft or unauthorized disclosure of corporate sensitive data, research and development, scientific studies, and trade secrets? If a company’s market capitalization and revenues are based upon its know-how, intellectual capital, and research, what would the company be worth if it were the victim of hackers or industrial espionage by person or governments? Do investors understand the security environment of the companies they invest in?
The investigation and subsequent SEC disclosure guidance is directed at protecting investors and encouraging companies to assess their risks and their impact on company operations, liquidity, and financial condition. Insurance was also considered as well in the investigation and in the subsequent SEC guidance as a potential “risk transfer” benefit to companies.
Key Elements of the SEC Guidance
The guidance identifies cyber risks and incidents as potential material information to be disclosed under existing securities law disclosure requirements and accounting standards. While the disclosure guidance states it represents the views of the Division of Corporation Finance and is “not a rule, regulation or statement of the Securities and Exchange Commission,” companies can now expect the SEC to review their filings to see whether cyber risks and incidents are adequately disclosed.
The disclosure guidance identifies factors for companies to consider in determining if they have a cyber security risk that should be disclosed under existing requirements. The company should review its:
� Prior cyber incidents.
� Business operations and outsourced functions that have material cyber risks.
� Potential costs and consequences of cyber risks.
� Relevant insurance coverage purchased by the company to address its exposures.
The guidance is
detailed about
what needs to
be disclosed.
The list is long.
4
Risk Factor Disclosure
The SEC’s guidance says that the overall standard that companies should use is if such risk is among the “most significant” factors that would make an investment in the company “speculative or risky.” The disclosure guidance identifies factors companies should take into account in determining whether disclosure should be made, including:
� Prior cyber incidents (including their frequency and severity).
� Probability of cyber incidents occurring and their potential magnitude (customer data breaches but also industrial espionage, data corruption, or operational disruption).
� Adequacy of preventive actions taken to reduce cyber risks.
The guidance is sensitive that disclosure requirements not become a road map to assist hackers or outside perpetrators and that disclosures not contain potential compromising information of that nature. Rather, it provides a list of disclosure examples in the event that disclosure to investors is necessary:
� Aspects of the company’s operations or business that give rise to material cyber security risks, potential costs of such, and consequences.
� Outsourcing functions that have material cyber security risks and how the company addresses such.
� Identification of risks related to cyber incidents that may remain undetected for a long time.
� Relevant insurance coverage.
Examples of other disclosures discussed in the disclosure guidance that may be required include:
� Material pending lawsuits or regulatory investigations involving a cyber incident.
� Major costs incurred to prevent a cyber attack
� Costs incurred in mitigation of damages following a cyber incident, such as “brand incentives” offered to customers to maintain business relationships (e.g., free services or products).
� Disclosure of losses that are “probable and reasonably estimable,” or even “reasonably possible” following a cyber attack (e.g., losses related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from remediation efforts).
The disclosure guidance also states that cyber security risks and incidents should be addressed in Management’s Discussion and Analysis of Financial Condition and Results of Operations if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent:
� A material event.
� A trend.
� Uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.
The SEC’s guidance arguably
creates a road map for aggrieved
shareholders, and the disclosures
will create significant risks for
directors and officers.
February 2012 • Lockton Companies, LLC
5
Risk Message to the Board
The SEC guidance is not the last word, but a trend of law and regulation worldwide that requires the board of directors and senior executives to manage cyber risks at the enterprise level with resources and commitment. On our current radar is the bill pending in Congress regarding cyber security of critical U.S. infrastructure industries as well as the proposed new EU data protection regulations.
Lack of senior management and board involvement and transparency will not be a successful strategy for companies on this issue. The circle has been closed between the company, its cyber risks, and investors. Companies that have not focused on cyber security exposures and the financial ramifications of possible losses to themselves and their directors and officers must do so now, not at some indefinite date in the future. Although the focus of the SEC is publicly traded companies, private companies can face claims from their investors as well.
The guidance creates a balancing act between disclosures of risk to investors vs. the possibility that disclosure could compromise security. Directors and officers are in a difficult position and could be held responsible for going too far in one direction or the other. It is unclear whether compliance with the SEC guidance will provide directors and officers with a defense in shareholder derivative litigation. However, failure to follow it at all will certainly be adverse to defenses against such action.
Insurance for cyber risks can no longer be safely viewed as an optional purchase when a company has the
means to buy it. The guidance specifically focuses on financial risks, financial risk transfer, and the availability of insurance. It may lead shareholders to claim that directors and officers breached their fiduciary duty if they did not investigate and obtain coverage.
It is also appropriate for risk professionals to consider the use of their captive to fund large policy retentions or insure aspects of cyber risks for which adequate insurance may not be available. Areas that may require more creative insurance solutions (combining various techniques of risk transfer) include loss of intellectual property and disruption of computer networks.
Crossover to Director’s and Officer’s Liability Claims
Shareholder rights groups and plaintiffs’ firms are already scrutinizing disclosures and public filings in light of every known data breach event and will consider filing shareholder class actions, breach of fiduciary duty claims, and/or derivative claims, whether the event affects the company’s stock price or not. The bottom line is that we expect to see an increasing trend in D&O claims filed as a result of data breach events, failure of the board and senior management team to prevent breaches, and lack of adequate disclosure surrounding such events.
D&O underwriters are fully aware of the guidance. Questions on cyber risk governance and cyber insurance risk insurance are now commonplace in D&O underwriting meetings. Examples of questions that may be asked by D&O underwriters include:
� Have you experienced a material breach event?
6
� What was the outcome of such an event?
� Have you been the subject of regulatory investigations as a result of a cyber incident?
� What steps has the company taken to prevent potential incidents?
� How have you changed your public disclosures as a result of the new guidance?
� Has the board been briefed on cyber risk management and disclosure requirements?
� Do you purchase cyber risk insurance?
Clearly, the SEC’s new guidance has heightened the responsibility to analyze exposure to cyber threats and how future events are disclosed to the public. That responsibility has now been placed squarely in the boardroom.
Practical Advice
Review and amend risk factor disclosures in financial reporting documents; review disclosure controls and procedures in light of company-specific cyber security risks.
As a result of the new SEC guidance, public companies should carefully consider the magnitude and types of cyber security risks the company faces. Risk factors will differ among industries, and companies should in no way rely on boilerplate disclosures. Rather, the company should work with all necessary internal and external parties to evaluate and disclose risks appropriately.
Establish a cross-functional risk committee approach.
Cyber security is a cross-functional risk involving many disciplines, including information technology, risk
management, legal, internal audit, procurement, finance, and operations. The SEC guidance will require better communication, risk analysis, meaningful projects, and interaction to improve controls. Risk management should play a significant role not only in the procurement of insurance, but in risk advice, analysis, and support, bringing all disciplines within the company together.
Initiate a process to review cyber risk insurance risk transfer options.
Risk managers, legal counsel, and others must make it a priority to educate the senior management team and the board so they understand the risk transfer options available, ranging from traditional insurance vehicles to the use of captive insurers. In addition, the management team and board should be briefed on breach response procedures and how the company will react in the event of a security breach, whether insurance is put in place or not.
Prepare for a much deeper inquiry by D&O underwriters.
As discussed previously, D&O underwriters will be asking more questions related to cyber risk breaches, disclosures, insurance, and breach response preparation. Traditionally, D&O insurers want to meet with risk management, legal, and financial officers such as the treasurer or chief financial officer. Given the heightened risk and the new guidance, it may be prudent and necessary to involve someone from information technology in D&O renewal meetings, especially if the company has actually experienced a security breach.
February 2012 • Lockton Companies, LLC
7
Describe cyber incidents or cyber breaches as they happen.
If an incident occurs resulting in material costs or consequences (remediation costs, increased prevention efforts, or brand damage) that may indicate material future cyber security uncertainties, trends, or events, it must be disclosed and described in “Management’s Discussion and Analysis of Results of Operations.” Disclosures in other sections of a company’s financial reports (for example, “Risk Factors” or “Legal Proceedings”) will likely be required as well. Significant attacks may even warrant current reporting on a Form 8-K notifying shareholders of a material event or a press release. Cyber security risks and events may impact a company’s financial statements, and companies should discuss with their auditors costs for prevention, remediation, loss recognition and/or loss mitigation, and how they would be classified. These disclosures should occur in real time as they happen.
Lockton Resources
Lockton has been a leader in presenting cyber risks much the same way we do with D&O underwriting meetings, through “investor-type’ briefings, rather than lengthy applications.
Lockton’s team of resources—your Account Executive, Lockton Financial Services, and Lockton’s Technology and Global Privacy Practice—are here to help and support your cyber risk management efforts as well as provide custom D&O solutions in this ever-changing market.
Footnote
1 Available at: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
About the Authors
Emily Freeman
Emily is an Executive Director and
leads the Lockton Technology Risk
Practice Group in London. Emily
has been a pioneer in developing
many cyberspace, technology, and
professional service products. She
is a frequent speaker and writer for
professional publications regarding her
areas of expertise.
William Boeck
Bill is Senior Vice President and
Insurance & Claims Counsel with
Lockton Financial Services and
Lockton’s Global Technology and
Privacy Practice. Bill serves as
Lockton’s senior legal and claims
resource worldwide on D&O, cyber
risk, and other financial lines policies.
He is an attorney with more than 25
years of experience handling insurance
claims and creating policy wordings.
Chris McBee
Chris is a Senior Vice President and
Financial Services Unit Manager for
Lockton’s Dallas office. He has more
than 20 years of insurance industry
experience focused on complex
financial services programs for publicly
traded or large private company
programs, including D&O, professional
liability, cyber risk, employment
practices liability, fiduciary liability,
alternative risk placements, and
complex claims resolution.
Our Mission
To be the worldwide value and service leader in insurance brokerage, employee benefits, and risk management
Our Goal
To be the best place to do business and to work
www.lockton.com
© 2012 Lockton, Inc. All rights reserved. Images © 2012 Thinkstock. All rights reserved.
g\white paper\freeman, boeck, mcbee\2012\cyber guidance.indd