Executives are more aware than ever that their companies need to take action to avoid class actions, claims, and more.
After a number of significant ransomware attacks and software vulnerabilities were publicly disclosed in 2020 and 2021, making cybersecurity become front page news, federal and state regulators have taken a much more proactive approach to cybersecurity regulation.
In May 2021, President Biden signed an executive order establishing baseline cybersecurity standards for U.S. agencies and software contractors, mandating multifactor authentication, endpoint detection and response, data encryption, a skilled internal security team, as well as regular system tests, data backups and a software update and patching program.
In June of 2021, Anne Neuberger, cybersecurity adviser at the National Security Council, sent an open letter to corporate executives and business leaders warning them to step up security measures to protect against ransomware attacks, and reiterated the best practices from the May 2021 Executive Order.
After the Log4j software vulnerability was announced, in December 2021, the Federal Trade Commission (“FTC”) issued a warning to companies that a failure to mitigate known software vulnerabilities implicates various laws, including the Federal Trade Commission Act and the Gramm Leach Bliley Act.
Given recent enforcement activities, it is not surprising that executives are expressing their concern about cyber risk. In fact, CEOs named cyber-risk as a top threat in 2022, according to a recent PwC survey. In the firm’s annual CEO survey, cyber-risk topped the list of concerns for 49 percent of respondents, followed by health risks (48 percent) and macroeconomic volatility (43 percent), like inflation and GDP changes. Of course, in light of the previously discussed regulatory requirements and potential new regulations on the horizon, it isn’t surprising that financial services CEOs reported to be most worried about cyber-incidents affecting their business, according to the survey.
Given the rash of ransomware and other cyber-attacks in 2021, the government agencies and regulators’ more active role in encouraging companies step up their cybersecurity efforts was not unexpected.
In addition to the above, the Securities and Exchange Commission (SEC), which already had data protection and other security requirements in place for the financial entities that it regulates, recently proposed more ambitious cybersecurity regulations. These financial entities, such as investment companies, investment advisers, and business development companies (funds), considered part of society’s vital infrastructure, continue to be valuable targets for cybercriminals.
Stepping up regulations
State and federal regulators have enhanced reporting requirements, including the timing, details, and efficacy of a company’s cybersecurity disclosures. Previously in 2018, the SEC published a statement and guidance on public company disclosures which noted that because of the “frequency, magnitude and cost of cybersecurity incidents, the commission believes it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.”
, the SEC announced settled charges against First American Financial Corporation, a real estate settlement services company, for violations related to a cybersecurity vulnerability that exposed sensitive customer information. The SEC concluded that because the company failed to remediate the incident upon discovery by internal IT professionals, and because internal escalation procedures were not followed, the company filed an inaccurate Form 8-K months after the incident.
Also in mid-2021, into the impact of the widely reported SolarWinds compromise, sending letters to hundreds of companies that may have downloaded the vulnerable SolarWinds software update, asking for records relating to that incident as well as “any other” data breach or ransomware attack since 2019.
Cybersecurity is an organization-wide responsibility and requires multiple teams at a company to work together.
A growing concern
Many companies that experience a cyber incident may also face securities or derivative litigation. In addition to allegations regarding the timing of discovery of the incident and its public disclosure, shareholders may allege misstatements or omissions concerning the overall cybersecurity of the company, and/or the adequacy of the company’s processes and procedures following an incident to limit impact and information flows to top executives and the board.
While a cyber insurance policy may provide coverage for remediation costs in the event of a breach, it does not provide coverage for a securities related matter, even if arising out of a cybersecurity incident. Because these claims would, in most cases, be brought by shareholders, they likely would fall under a directors & officers (D&O) liability policy. Therefore, to ensure they are properly prepared, companies should pay careful attention to their insurance portfolio and how the various coverages may react to a cyber incident.
A team effort
In addition to having the right insurance policies in place, having the right cybersecurity policies and procedures in place is vitally important. Fortunately, access to pre-vetted vendors and service providers are often a valuable part of cyber insurance coverage and can be helpful in assessing a company’s current security posture, providing enhancement recommendations and, of course, helping to address a breach should one occur. This type of preparedness will also help defend executives and the board from allegations that not enough attention was given at the top of the company to cybersecurity should a securities or derivative claim follow any such breach.
色多多视频clients have access to a new Cyber Incident Response team which can examine a company’s policies and protocols prior to any incident. The 色多多视频Cyber Incident Response team works with organizations to connect them with the right law firm, forensics team, and other incident responders to help companies establish appropriate incident response procedures and to ensure that they are ready to execute these plans in the event of a cyber incident.
Additionally, to protect the board from breach of duty or oversight claims, companies should carefully and regularly review the board’s practices toward minimizing cybersecurity risks. Examples of practices that a board may consider include regular review of the existing cybersecurity systems, including discussion of potential enhancements, establishing a cybersecurity committee, and ensuring that directors thoroughly understand the companies cybersecurity and data privacy policies and protections.
The importance of being prepared for a cyberattack is reinforced by the regulators’ push to ensure that consumer information is being adequately protected. Cybersecurity is an organization-wide responsibility and requires multiple teams at a company to work together.
In order for organizations to meet regulatory requirements and protect themselves, it is paramount to have an incident response plan in place that includes an escalation process up to the board level, and a plan for timely disclosure that starts when a problem is first spotted. These types of incidents need the full attention of the company leaders, board, and officers. C-suite executives are wise to engage now with cyber experts to better prepare their organization for a cyberattack, having plans in place that can minimize financial impacts and possibly avoid costly lawsuits down the road.
About the authors
Part of AXA XL’s North America claims team, Tricia Melly is Head of Professional Claims and Danielle Roth is Head of Cyber & Technology Claims.
