Cyber Risk–Are You Insured?
It’s been about two years since the SEC’s Division of Corporation Finance issued its much publicized guidance regarding cyber security disclosure (see CF Disclosure Guidance: Topic No. 2). You may recall that Corp Fin concluded that existing disclosure requirements (risk factors, MD&A, legal proceedings, financial statements) already cover cyber securities sufficiently, meaning that no rule changes or additions were needed or proposed. The staff stated, however, that so many companies now rely on digital technologies and that cyber attacks and accidents are now so pervasive that cyber security disclosure deserves special guidance.
Most public companies assessed their operations in early 2012 in response to the SEC’s guidance, determined the extent of their cyber risk and, depending on their circumstances, included a risk factor in their Form 10-K. But it appears, based on public filings, that very few companies have carefully evaluated the extent to which their insurance covers the costs associated with cyber risk.
The costs of a cyber security breach…
In its guidance, Corp Fin identified the following potential costs and consequences of a cyber security breach:
- Remediation, including liability to third parties, system repair and business and reputation recovery,
- Increased protection costs, including organizational changes, additional personnel and technologies, training and third party experts and consultants,
- Lost revenue,
- Litigation and
- Reputational damage among customers and investors.
Insurance—the overlooked disclosure…
The staff also listed examples of cyber risk disclosure that might be appropriate, depending on the circumstance. Most companies that provide cyber risk disclosure have addressed the first four points (see page three of the Guidance) reasonably well. Conversely, the fifth and final disclosure example is glaringly absent from most cyber risk disclosures:
“Description of relevant insurance coverage.”
If your cyber risk is covered by insurance (fully or partially), then that is important disclosure. It is likewise important (maybe more so) if it is not. If you assume coverage exists without knowing for sure, there could be serious consequences, such as:
- Inaccurate SEC disclosure,
- CEO/CFO Sarbanes-Oxley certification violations and
- Bottom line financial consequences.
Old insurance policies that have not been updated lately for the growth of cyber security issues may not provide the coverage you think they do, or may be open to interpretation (i.e., a nasty dispute with your insurer). The good news is that newer policies, while still evolving, are beginning to specifically address cyber risk, including such things as amount of coverage, scope of coverage (out-of-pocket costs and third party claims), jurisdiction of the cyber breach, type of breach (accidental, intentional, terrorist), and the like.
What to do…
With 10-K drafting and filing fast approaching for most companies, it’s well worth taking a few minutes to review your existing insurance policy to see if any coverage holes need to be filled or if any disclosure needs to be updated. And while you’re at it, it’s also a good idea to be sure your D&O policy adequately covers cyber security liability.
All the best,