Why Should the C-Suite and Board Care About Cyberattacks?

IBM Security and the Ponemon Institute's 2021 report on the cost of a data breach found that the average cost of a data breach in the United States is $9.05 million—significantly higher than the global average cost of a data breach, $4.24 million.

Cyberattacks have become an unavoidable business risk. Board members and the C-suite must prepare to deal with the potential ramifications of an attack, including loss of business and/or consumer data; interruption to business operations, often on a global scale; investigation and response costs; reporting and notice obligations; consumer and/or shareholder suits; potential ransom payments; increased public scrutiny; and damage to the company's reputation and the public's trust.

Perhaps even more worrisome, federal and state regulators have begun to crack down on companies' cybersecurity disclosures. For example, in February 2018, the Securities and Exchange Commission (SEC) published a statement and guidance on public company disclosures, noting that, due to the "frequency, magnitude, and cost of cybersecurity incidents, the commission believes it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion."

Previously, the SEC had fined public issuers for failure to disclose known breaches within two years of discovery. In June 2021, however, the SEC went one step further and fined a company more than $485,000 for its failure to maintain adequate procedures and controls for disclosure. The SEC's enforcement against First American Financial Corporation was related to a vulnerability discovered by a cybersecurity journalist on May 24, 2019. First American disclosed the incident to the SEC in a Form 8-K four days later. Despite the seemingly prompt disclosure, the SEC concluded that the company had failed to maintain required disclosure controls and procedures because First American had failed to inform its senior executives that the company's own information security personnel had identified the vulnerability several months earlier and failed to remediate.

Then, in August 2021, the SEC announced that Pearson plc had agreed to pay a $1 million fine to settle charges that it had repeatedly misled its investors about a 2018 cyber attack that involved the theft of student records, including dates of birth and email addresses. In this action, the SEC similarly alleged that Pearson had inadequate disclosure controls and procedures.

The increased regulatory scrutiny of cyber incidents is not limited to the SEC. In early 2017, the New York Department of Financial Services (NY DFS) promulgated 23 NYCRR Part 500, which established cybersecurity requirements for certain financial services companies and required they adopt programs to protect consumers' private information. First American was the first charged in connection with this regulation, in relation to the same vulnerability identified in the June 2021 SEC action. Though the First American action has not yet been heard, and a second amended statement of charges was recently filed, the NY DFS recently fined another entity, Residential Mortgage Services, $1.5 million in connection with violations of 23 NYCRR Part 500.

The SEC and NY DFS's recent conduct makes clear that federal and state regulatory agencies are increasingly scrutinizing corporate response to cyberattacks and initiating enforcement actions based on how companies' directors, officers, and information security personnel respond to cyber threats.

These are just a few examples—the Federal Trade Commission (FTC) regularly investigates and takes enforcement action against companies that fail to live up to promises to consumers that they will safeguard their personal information. For example, Equifax, Inc. agreed to pay $575 million to $700 million as part of a global settlement with the FTC, Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories to settle allegations that it failed to take reasonable steps to secure its network, leading to the widely publicized 2017 data breach that affected 147 million people.

Given the rash of ransomware and other cyberattacks in 2021, companies should anticipate that government agencies and regulators will take a more active role in the future. Indeed, potentially signifying further focus on corporate response to cyberattacks, the SEC in June 2021 conducted an enforcement sweep of SolarWinds customers following the public disclosure of a major cyberattack. The SEC sent information requests to issuers and other regulated entities, in which they offered amnesty for reporting failures (subject to limitations) and asked for information about previously undisclosed compromises.

How Can Cyber and D&O Insurance Help Protect the C-Suite and Board?

When purchasing or renewing cyber and D&O insurance, companies must look at their program as a whole to ensure that there are no gaps in coverage for liabilities that directors, officers, and the company may face in the aftermath of a cyberattack. While cyber, D&O, and other liability insurance policies are meant to work together, the actual coverage afforded across a company's insurance program can lead to a patchwork of policies resulting in significant coverage limitations or, even worse, critical gaps in protection for cyber-related exposures.

The following are a few of the key issues and gaps that corporate policyholders should look out for in renewing or procuring a cyber policy:

• Liability coverage should be triggered by not only suits and arbitration proceedings, but also formal and informal investigations.
• Policies should cover fines and penalties. To help avoid an insurer's argument that such fines or penalties are uninsurable and thus not covered, corporate policyholders should negotiate a "most favored jurisdiction" clause, such as one stating that civil fines or penalties will be covered where insurable by the applicable law that most favors coverage.
• Any exclusions for violations of securities laws should contain an express exception for claims arising out of a privacy event or a failure to disclose a cyber incident in violation of breach notification laws.
• Exclusions for unfair trade practices or FTC actions should similarly be carved back so as to not apply to regulatory actions or claims arising out of an otherwise covered cyberattack.
• Policyholders should also consider optional coverages, such as reputation loss coverage and public relations and crisis management coverage, to help mitigate the fallout from any cyberattack.

The company's D&O insurance should complement its cyber insurance coverage. A major cyber incident may exhaust available limits of cyber insurance, so it is imperative to ensure that the D&O policy does not have cyber exclusion and will respond to traditional D&O risks, even those arising out of a cyber event.

If D&O insurers will not remove exclusions for claims arising out of cyber or privacy incidents, public companies should try to carve back at least some coverage, such as for securities claims. Corporate policyholders should also request that affirmative coverage for investigations be added to the D&O policy, including for investigations of the company and not just investigations of directors and officers.

For both cyber and D&O coverage, policyholders should also:

• Review terrorism or war exclusions to make sure they cannot be used by an insurer to deny coverage for common cyberattacks. Companies should request that any terrorism and war exclusions contain exceptions for cyberterrorism.
• Ensure that contractual liability exclusions contain carveouts for liability that would exist in the absence of the contract. Many companies are required to make contractual representations or warranties on cybersecurity programs or standards as part of contracts with clients and vendors, and these representations may be alleged in a suit following a cyberattack. Consumers also often assert quasi-contract theories of liability regarding safeguarding of data.
• Make sure that exclusions for bodily injury or invasion of privacy are carved back so that they do not apply to otherwise covered claims arising out of a privacy breach. Exclusions for bodily injury should expressly contain a carveout for emotional distress arising out of a breach.
• Assess intellectual property (IP) exclusions to ensure that broadly defined exclusions covering patents, trade secrets, or other IP could not be triggered if bad actors were to hack a company for the purpose of gaining access to the company's IP portfolio. Similar to contractual liability exclusions, careful attention must be given to IP exclusions and how they may be triggered based on exfiltration of client-side data possessed by third parties.
• Evaluate any exclusions, especially in D&O and professional liability policies, that reference a failure to maintain "adequate" insurance, which can operate in the same manner as an explicit cyber exclusion where a company is alleged to have failed to procure (or to have procured inadequate) cyber coverage.

These potential coverage gaps are just a few of the traps for the unwary director, officer, or company. Businesses are best served by working with experienced insurance coverage counsel and insurance brokers to analyze coverage and fill any gaps with appropriate endorsements at renewal.

Andrea DeField is a partner in Hunton Andrews Kurth's Miami office.

Geoffrey Fehling is a counsel in the Boston office.

Sima Kazmir is an associate in the New York office.

From: Corporate Counsel