Cyber Risks Connect With Directors and Officers

Transcription

1 Cyber Risks Connect With Directors and Officers Implications of the New SEC Guidance on Cyber Security February 2012 Lockton Companies, LLC The Securities and Exchange Commission (SEC) has changed the cyber security playing field for directors and officers. No less than the Chairman of the U.S. Senate s Commerce Committee has said that the new guidance issued by the SEC fundamentally changes the way companies will address cyber security in the 21st century. He is right! For the past five years, IT security, privacy legal professionals, and internal audit have focused on direct and indirect cyber risks. At Lockton, we have seen increasing inquiries from insurance and risk management professionals for advice and insurance. The SEC s guidance will now require company directors and officers to pay increased attention, too. EMILY FREEMAN Executive Director Technology and Media Risks emily.freeman@uk.lockton.com WILLIAM BOECK Senior Vice President Insurance & Claims Counsel wboeck@lockton.com CHRIS McBEE Senior Vice President Financial Services Unit Manager cmcbee@lockton.com If the business such as a financial institution, retailer, or healthcare provider requires the collection and use of personal financial or healthcare information, many senior executives are already aware of the liability, brand, and financial costs of data breaches. But are cyber risks just the concern of companies that deal directly with the consumer? The SEC guidance issued in October 2011 paints a different picture, or perhaps a target, on the board of directors. It makes the boards of directors of publicly traded companies responsible for L O C K T O N C O M P A N I E S, L L C

2 assessing their company s exposure to cyber risks, the procedures they take, and costs they incur in preventing cyber incidents. Companies must disclose this information to investors. The guidance is detailed about what needs to be disclosed. The list is long. The guidance does not impose a new legal requirement, but that does not minimize its impact. The disclosure guidance issued on October 13, 2011 (the Disclosure Guidance), by the Division of Corporation Finance of the Securities and Exchange Commission (SEC) can be found here. 1 In a world where cyber events are increasingly common, shareholders and the lawyers who represent them will be assessing whether disclosures are adequate in their view. When a company experiences a cyber event, its directors and officers may well find themselves in shareholder lawsuits that seek to impose liability for breaches of fiduciary duties, to assure that the company is adequately prepared for such an event, and to disclose the risks of such events to investors. The SEC s guidance arguably creates a road map for aggrieved shareholders, and the disclosures will create significant risks for directors and officers. So what impact does it have on board governance? And is this expanding our notion of cyber risks beyond consumer-facing companies? The Congressional Impetus Behind the Guidance Although the Department of Homeland Security has departmental focus and executive support for improving cyber security of U.S. critical infrastructure industries, the SEC guidance is driven by congressional concerns. The disclosure guidance follows in the wake of a letter in May 2011 to the SEC from five members of the Senate, including John D. Rockefeller IV, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation. That letter expressed concern that a substantial number of companies do not report their information security risk to investors, and that once a material network breach has occurred, leaders of publicly traded companies may not fully understand their affirmative obligation to disclose information... As a result, the Senators requested that the SEC publish interpretative guidance clarifying existing disclosure requirements pertaining to information security risk... This letter was the culmination of a 15-month investigation by the U.S. Senate Commerce Committee, kicked off by a question, Should the SEC issue a regulation requiring companies to disclose breaches; why or why not? The investigation examined what companies were or not reporting, what the SEC role is or could be, and could there be a positive impact not only on the cyber security of companies, but on the U.S. as a whole? It is relatively easy for investors to see major public operational disruptions from customer data breaches. 2

3 February 2012 Lockton Companies, LLC The well-publicized breaches involving T.J. Maxx and the Sony PlayStation are good examples. Class action lawsuits, notification of data breaches to customers, and privacy regulatory investigations are also public events. The Commerce Committee s investigation focused on something more difficult to see. How can companies or investors measure or even discover the theft or unauthorized disclosure of corporate sensitive data, research and development, scientific studies, and trade secrets? If a company s market capitalization and revenues are based upon its know-how, intellectual capital, and research, what would the company be worth if it were the victim of hackers or industrial espionage by person or governments? Do investors understand the security environment of the companies they invest in? The investigation and subsequent SEC disclosure guidance is directed at protecting investors and encouraging companies to assess their risks and their impact on company operations, liquidity, and financial condition. Insurance was also considered as well in the investigation and in the subsequent SEC guidance as a potential risk transfer benefit to companies. Key Elements of the SEC Guidance The guidance identifies cyber risks and incidents as potential material information to be disclosed under existing securities law disclosure requirements and accounting standards. While the disclosure guidance states it represents the views of the Division of Corporation Finance and is not a rule, regulation or statement of the Securities and Exchange Commission, companies can now expect the SEC to review their filings to see whether cyber risks and incidents are adequately disclosed. The disclosure guidance identifies factors for companies to consider in determining if they have a cyber security risk that should be disclosed under existing requirements. The company should review its: Prior cyber incidents. Business operations and outsourced functions that have material cyber risks. Potential costs and consequences of cyber risks. Relevant insurance coverage purchased by the company to address its exposures. The guidance is detailed about what needs to be disclosed. The list is long. 3

4 The SEC s guidance arguably creates a road map for aggrieved shareholders, and the disclosures will create significant risks for directors and officers. Risk Factor Disclosure The SEC s guidance says that the overall standard that companies should use is if such risk is among the most significant factors that would make an investment in the company speculative or risky. The disclosure guidance identifies factors companies should take into account in determining whether disclosure should be made, including: Prior cyber incidents (including their frequency and severity). Probability of cyber incidents occurring and their potential magnitude (customer data breaches but also industrial espionage, data corruption, or operational disruption). Adequacy of preventive actions taken to reduce cyber risks. The guidance is sensitive that disclosure requirements not become a road map to assist hackers or outside perpetrators and that disclosures not contain potential compromising information of that nature. Rather, it provides a list of disclosure examples in the event that disclosure to investors is necessary: Aspects of the company s operations or business that give rise to material cyber security risks, potential costs of such, and consequences. Outsourcing functions that have material cyber security risks and how the company addresses such. Identification of risks related to cyber incidents that may remain undetected for a long time. Relevant insurance coverage. Examples of other disclosures discussed in the disclosure guidance that may be required include: Material pending lawsuits or regulatory investigations involving a cyber incident. Major costs incurred to prevent a cyber attack Costs incurred in mitigation of damages following a cyber incident, such as brand incentives offered to customers to maintain business relationships (e.g., free services or products). Disclosure of losses that are probable and reasonably estimable, or even reasonably possible following a cyber attack (e.g., losses related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from remediation efforts). The disclosure guidance also states that cyber security risks and incidents should be addressed in Management s Discussion and Analysis of Financial Condition and Results of Operations if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent: A material event. A trend. Uncertainty that is reasonably likely to have a material effect on the registrant s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition. 4

5 February 2012 Lockton Companies, LLC Risk Message to the Board The SEC guidance is not the last word, but a trend of law and regulation worldwide that requires the board of directors and senior executives to manage cyber risks at the enterprise level with resources and commitment. On our current radar is the bill pending in Congress regarding cyber security of critical U.S. infrastructure industries as well as the proposed new EU data protection regulations. Lack of senior management and board involvement and transparency will not be a successful strategy for companies on this issue. The circle has been closed between the company, its cyber risks, and investors. Companies that have not focused on cyber security exposures and the financial ramifications of possible losses to themselves and their directors and officers must do so now, not at some indefinite date in the future. Although the focus of the SEC is publicly traded companies, private companies can face claims from their investors as well. The guidance creates a balancing act between disclosures of risk to investors vs. the possibility that disclosure could compromise security. Directors and officers are in a difficult position and could be held responsible for going too far in one direction or the other. It is unclear whether compliance with the SEC guidance will provide directors and officers with a defense in shareholder derivative litigation. However, failure to follow it at all will certainly be adverse to defenses against such action. Insurance for cyber risks can no longer be safely viewed as an optional purchase when a company has the means to buy it. The guidance specifically focuses on financial risks, financial risk transfer, and the availability of insurance. It may lead shareholders to claim that directors and officers breached their fiduciary duty if they did not investigate and obtain coverage. It is also appropriate for risk professionals to consider the use of their captive to fund large policy retentions or insure aspects of cyber risks for which adequate insurance may not be available. Areas that may require more creative insurance solutions (combining various techniques of risk transfer) include loss of intellectual property and disruption of computer networks. Crossover to Director s and Officer s Liability Claims Shareholder rights groups and plaintiffs firms are already scrutinizing disclosures and public filings in light of every known data breach event and will consider filing shareholder class actions, breach of fiduciary duty claims, and/or derivative claims, whether the event affects the company s stock price or not. The bottom line is that we expect to see an increasing trend in D&O claims filed as a result of data breach events, failure of the board and senior management team to prevent breaches, and lack of adequate disclosure surrounding such events. D&O underwriters are fully aware of the guidance. Questions on cyber risk governance and cyber insurance risk insurance are now commonplace in D&O underwriting meetings. Examples of questions that may be asked by D&O underwriters include: Have you experienced a material breach event? 5

6 What was the outcome of such an event? Have you been the subject of regulatory investigations as a result of a cyber incident? What steps has the company taken to prevent potential incidents? How have you changed your public disclosures as a result of the new guidance? Has the board been briefed on cyber risk management and disclosure requirements? Do you purchase cyber risk insurance? Clearly, the SEC s new guidance has heightened the responsibility to analyze exposure to cyber threats and how future events are disclosed to the public. That responsibility has now been placed squarely in the boardroom. Practical Advice Review and amend risk factor disclosures in financial reporting documents; review disclosure controls and procedures in light of companyspecific cyber security risks. As a result of the new SEC guidance, public companies should carefully consider the magnitude and types of cyber security risks the company faces. Risk factors will differ among industries, and companies should in no way rely on boilerplate disclosures. Rather, the company should work with all necessary internal and external parties to evaluate and disclose risks appropriately. Establish a cross-functional risk committee approach. Cyber security is a cross-functional risk involving many disciplines, including information technology, risk management, legal, internal audit, procurement, finance, and operations. The SEC guidance will require better communication, risk analysis, meaningful projects, and interaction to improve controls. Risk management should play a significant role not only in the procurement of insurance, but in risk advice, analysis, and support, bringing all disciplines within the company together. Initiate a process to review cyber risk insurance risk transfer options. Risk managers, legal counsel, and others must make it a priority to educate the senior management team and the board so they understand the risk transfer options available, ranging from traditional insurance vehicles to the use of captive insurers. In addition, the management team and board should be briefed on breach response procedures and how the company will react in the event of a security breach, whether insurance is put in place or not. Prepare for a much deeper inquiry by D&O underwriters. As discussed previously, D&O underwriters will be asking more questions related to cyber risk breaches, disclosures, insurance, and breach response preparation. Traditionally, D&O insurers want to meet with risk management, legal, and financial officers such as the treasurer or chief financial officer. Given the heightened risk and the new guidance, it may be prudent and necessary to involve someone from information technology in D&O renewal meetings, especially if the company has actually experienced a security breach. 6

7 February 2012 Lockton Companies, LLC Describe cyber incidents or cyber breaches as they happen. If an incident occurs resulting in material costs or consequences (remediation costs, increased prevention efforts, or brand damage) that may indicate material future cyber security uncertainties, trends, or events, it must be disclosed and described in Management s Discussion and Analysis of Results of Operations. Disclosures in other sections of a company s financial reports (for example, Risk Factors or Legal Proceedings ) will likely be required as well. Significant attacks may even warrant current reporting on a Form 8-K notifying shareholders of a material event or a press release. Cyber security risks and events may impact a company s financial statements, and companies should discuss with their auditors costs for prevention, remediation, loss recognition and/or loss mitigation, and how they would be classified. These disclosures should occur in real time as they happen. Lockton Resources Lockton has been a leader in presenting cyber risks much the same way we do with D&O underwriting meetings, through investor-type briefings, rather than lengthy applications. Lockton s team of resources your Account Executive, Lockton Financial Services, and Lockton s Technology and Global Privacy Practice are here to help and support your cyber risk management efforts as well as provide custom D&O solutions in this ever-changing market. Footnote 1 Available at: About the Authors Emily Freeman Emily is an Executive Director and leads the Lockton Technology Risk Practice Group in London. Emily has been a pioneer in developing many cyberspace, technology, and professional service products. She is a frequent speaker and writer for professional publications regarding her areas of expertise. William Boeck Bill is Senior Vice President and Insurance & Claims Counsel with Lockton Financial Services and Lockton s Global Technology and Privacy Practice. Bill serves as Lockton s senior legal and claims resource worldwide on D&O, cyber risk, and other financial lines policies. He is an attorney with more than 25 years of experience handling insurance claims and creating policy wordings. Chris McBee Chris is a Senior Vice President and Financial Services Unit Manager for Lockton s Dallas office. He has more than 20 years of insurance industry experience focused on complex financial services programs for publicly traded or large private company programs, including D&O, professional liability, cyber risk, employment practices liability, fiduciary liability, alternative risk placements, and complex claims resolution. 7

8 Our Mission To be the worldwide value and service leader in insurance brokerage, employee benefits, and risk management Our Goal To be the best place to do business and to work Lockton, Inc. All rights reserved. Images 2012 Thinkstock. All rights reserved. g\white paper\freeman, boeck, mcbee\2012\cyber guidance.indd