Cybersecurity Disclosure Obligations Raise Insurance Coverage Questions
High-profile data breach events have hastened focus on sensitive data and whether a comprehensive approach to protecting it is being used. The magnitude and impact of these breaches have intensified, garnering media attention and highlighting gaps in policy, protocols and legal frameworks that are compounded by a rapidly evolving cyber-environment with new technologies that currently lack uniform security standards.
Guidance on disclosure obligations concerning cybersecurity threats issued by the SEC’s Division of Corporate Finance encourages companies to address their vulnerability and readiness to respond to business risks that are increasingly difficult to anticipate and manage.
Cybersecurity risks are typically associated with data misappropriation and corruption. However, the effects may be far broader in scope and impact, including issues such as misappropriation of assets, operational disruption and financial losses.
The guidance directs an ongoing review of the adequacy of disclosures related to cybersecurity risks and incidents in the context of a company’s management discussion and analysis, business description, legal proceedings, financial reporting and disclosure controls and procedures. Notably, insurance coverage was listed as a disclosure item.
Summary of the Recent Guidance
The high level guidance provides reference to existing rules, and in determining whether disclosure is warranted, it suggests companies consider risk factors such as:
- Prior cyber incidents and the severity and frequency of those incidents;
- The probability of cyber incidents occurring;
- Threatened attacks of which they are aware;
- The quantitative and qualitative magnitude of those risks, including potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption; and
- The adequacy of preventative actions taken to reduce cyber-related risks in the context of the industry in which they operate.
Where disclosure is appropriate, the guidance suggests the following subjects to consider regarding content of the disclosure:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how it addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Cyber incident risks that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
A company need not reveal so much that disclosure creates an increased vulnerability.
Insurance Coverage Implications
The enhanced focus on cybersecurity risks is likely to trigger a similarly increased focus on a company’s use of insurance to mitigate risk, particularly in light of the specific reference to insurance coverage as an appropriate subject for disclosure.
The starting point is a company’s existing insurance placement, which may well provide some coverage for cyber incidents. In addition, the past few years have seen rapid growth in the market for cybersecurity policies that are being sold with various names such as “network security insurance” and “cyber-security insurance.”
These policies can provide first and third-party coverage for losses associated with cybersecurity incidents, such as costs for data restoration, crisis response, privacy notification and forensic investigation, as well as defense and indemnification arising out of cyber incidents, and business interruption.
New insurance products often see an uptick of coverage litigation as disputes involving new policy language arise and get tested in courts. As this market is still maturing, policy forms vary from insurer to insurer and lack standardization. Although any policy should be carefully studied prior to placement, this is particularly true here until more uniformity develops.
Here are some additional suggestions:
- Pay close attention to limits and sub-limits. Are they sufficient to fully respond to predictable cyber incidents that the company is trying to insure against?
- Consider whether it covers acts of vendors or customers. If the company provides confidential data to a third-party, or allows contractors to access its systems, then the insuring agreement should be broad and encompass losses caused by such third-parties.
- Do the company’s vendors or customers have appropriate coverage? If so, is the company covered as an additional insured on their insurance policies?
- Is coverage provided if data is simply destroyed but not used or disclosed?
- Does the insured have the right to select counsel? The company’s regular counsel may already be familiar with the company’s IT capabilities, personnel and related procedures. It may also make sense to retain counsel with specialized expertise in cybersecurity issues.
Potential coverage gaps deserve special attention. Suppose a cybersecurity incident affecting an industrial facility causes an environmental exposure. A gap may exist due to the potential convergence of two historical trends. Insurers have long inserted computer-related exclusions in commercial policies. Pollution exclusions are also routine, resulting in pollution coverage being limited.
Pollution coverage should be examined for IT-related exclusions. For example, the 2003 version of Insurance Services Office’s “Pollution Liability Limited Coverage Form” excludes coverage for: “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”
“Electronic data” includes stored information, programs, software and “any other media which are used with electronically controlled equipment.” Thus, a potential environmental incident “arising out of” the excluded IT perils may not be covered under a policy with a similar provision.
Conversely, many cyber insurance policies contain pollution exclusions for claims “alleging, arising out of, based upon or attributable to” the presence of pollutants, the actual or threatened discharge, release or escape of pollutants, or clean-up and response activities involving pollutants.
Careful thought regarding possible scenarios and a detailed policy review can identify potential problems to address. Given the division’s recent guidance, this rigorous analysis should become a priority.
Note: The U.S. Securities and Exchange Comm’n, CF Disclosure Guidance: Topic No. 2 — Cybersecurity (Dec. 14, 2011, 19:00 CST), may be found online.