THE C/EO PERSPECTIVE: WHAT YOU DON T KNOW WILL HURT YOU Cyber Liability in the Boardroom What you don t know will hurt you.
ABOUT JLT SPECIALTY JLT Specialty Insurance Services is the U.S. platform of JLT Group, the leading specialty business advisory firm. Our experts have deep industry and product experience serving the leading U.S. and global firms. Our client proposition is built upon our specialist knowledge, client advocacy, tailored advice and service excellence. Our culture reinforces the value of our people with teamwork and collaboration. Together, we place our clients first, champion independent thinking and expect to be judged on the results we deliver. ABOUT C/EO A key component of JLT Specialty s recent expansion of its US operations has been the formation of the Cyber and E&O Practice (C/EO), a team of motivated and skilled people who bring a wealth of experience in complex cyber and E&O placements and a proven track record of success in working with clients of all sizes. They are committed to growing a specialty business in the US market and are aligned with JLT Group s client-first culture and entrepreneurial drive. We pride ourselves on a pragmatic approach that leverages the Cyber and E&O Practitioners deep industry and product knowledge. This starts with an interactive exposure identification and priority discussion. We then transform this discussion into a risk transfer solution strategy, including proposed coverages, insurer partners and execution timeline.
The C/EO Perspective: What You Don t Know Will Hurt You 1 CYBER LIABILITY IN THE BOARDROOM When a company becomes the victim of a cyber breach, naturally fingers point in all directions the Chief Information Security Officer (if there is one) or the IT department in general; third party vendors that may have acted as an initial point of contact; foreign governments that have gained a reputation for hacking into competing companies; the Board. Wait the Board of Directors? Until recently, board accountability following a cyber breach was merely theoretical. In an ever evolving legal and regulatory environment, various theories of negligence and fault have been tested, in many cases unsuccessfully. The latest trend, however, puts even the Board at risk for liability stemming from a failure to protect their customers personal and financial information. Wyndham Worldwide has kept itself in the news following three data breaches over a period of 22 months, beginning in April 2008, resulting in the compromise of 600,000 records a relatively small community of victims based on 2014 standards. But Wyndham has taken an unprecedented approach in challenging, not the merits of the allegations, but the authority of the entity bringing regulatory action against them, namely the FTC. Following the FTC investigation and subsequent legal action, shareholders demanded, on two separate occasions, that the Board file suit against Wyndham officers for employing inadequate security controls. After the Board declined to bring suit a second time, the shareholder filed a derivative suit in February 2014. Ultimately, the court dismissed the suit with prejudice on the basis that the Board had conducted their due diligence and acted in the best interest of Wyndham. Though the Wyndham derivative suit was unsuccessful, it affirms the growing responsibility of the Board to actively engage in cyber security implementation. Wyndham was successful in dismissing the suit primarily because they had strong evidence to suggest that they were active in the breach response and cyber security conversation. How many Boards are employing the same due diligence before a breach occurs? With complex cyber issues threatening businesses of all sizes and sectors on a daily basis cited as 97% of all companies currently being hacked by FireEye CEO Dave DeWalt during a recent 60 Minutes segment - ignorance or lack of action is no longer a defense, and in fact, can expose a Board to liability. The failed derivative suit also acts as another example of how an established breach response plan, including third party assistance, can be the best defense against future liability. In another example, Heartland Payment Systems suffered a breach of a whopping 130 million records, discovered in early 2009, which is still considered to be the largest breach based on record count. Following disclosure of the breach, Heartland s stock plummeted 80%, prompting securities class action litigation. Though this suit was also dismissed for failing to meeting the pleading standards, it was aggressive in alleging that Heartland had made fraudulent statements during a 2008 earnings call, ultimately misleading investors regarding the state of their security controls. Nearly five years after the Heartland breach, and more than ten years since the first dedicated cyber insurance product was introduced, underwriters will candidly admit that they are still refining the questions and tools necessary to adequately evaluate exposure through a dedicated cyber underwriting effort, much less via the D&O placement, which in many cases has been a continuous renewal for several years. The SEC s attempt to incorporate clarity in financial statements regarding cyber security measures has actually done little to inform investors and other interested parties into the granular details necessary to assess a company s security measures.
2 The C/EO Perspective: What You Don t Know Will Hurt You According to the 2014 EY Global Information Security Survey, the second most critical, but overlooked foundational requirement of an organization without proper cyber security integration is to Get Board-level support for a security transformation. Redefine cybersecurity governance, e.g., realigning cybersecurity outside of the IT function and ensuring that the Board understands processes. Put another way, EY views Board support and collaboration to be as important as, and specifically, a fundamental principal along with, more commonly recognized practices like penetration testing, risk assessment and road mapping, continuity and incident response plans. Despite the dismissals, the Wyndham and Heartland lawsuits illustrate the potential litigation exposure arising out of a cyber breach to not only the company and its directors and officers, but also to its D&O insurers. Whereas coverage for the company under a public company D&O program is generally limited to claims alleging violations of securities laws, the scope of coverage for individual directors and officers (defendants in derivative litigation) is much broader. A D&O program, if properly negotiated, should protect the individuals for derivative litigation arising out of a cyber breach. Furthering the concern of D&O insurers, many jurisdictions questions to be asked of insureds and potential insureds at each placement. Underwriters will want to discuss the company s strategy to understand and mitigate the risk associated with a cyber breach as well as the role of the directors and officers in developing and reviewing that strategy. As is frequently the case with specialty insurance products where policy language and carrier appetite vary widely, no Insured should assume that all risks associated with a cyber breach are affirmatively covered. While a dedicated cyber policy should respond to many of the first and third party losses associated with a breach (if properly negotiated), the D&O policy should also be reviewed to ensure affirmative response to suits against the directors and officers resulting from a breach. Following Target s acknowledgement of their massive data breach in December 2013, two derivative suits were filed in January 2014. The suits allege Breach of Fiduciary Duty, Waste of Corporate Assets, Gross Mismanagement and Abuse of Control. Shareholders specifically allege that directors and officers failed to properly oversee Target s business and operations. Based on FireEye s assertion of 97% of all companies being breached, is any Board in a position to properly oversee their company s business preclude corporate indemnification for settlements and judgments resulting from derivative litigation implicating the Side A (non-indemnifiable loss) insuring agreement of the D&O program, eliminating the retention and putting the insurer s limit at greater risk. In light of this emerging exposure, D&O insurers are taking notice and companies should be prepared to address questions related to the firm s cyber exposure as part of the D&O Liability insurance renewal process - some insurers have even formalized a set of cyber security-related and operations? Based on The Global State of Information Security Survey 2015 conducted by PwC, only 42% of respondents confirm that the board is active in the security strategy, and only a quarter review current security and privacy risks. When less than half of these boards are involved in the security conversation, how can they adequately defend their ability to properly oversee businesses and operations? At the time of this publication, Sony has spent over a month as the leading cyber breach story, finding itself in the midst of a cyber security and
The C/EO Perspective: What You Don t Know Will Hurt You 3 Public Relations nightmare, with no foreseeable end in sight. Déjà vu all over again? Sony was on the receiving end of multiple targeted attacks by hacktivists in 2011, casting a lasting negative light, not only due to their response, but the actions that led to the retaliatory attacks. Three years later, Sony can t seem to exit the spotlight nor the rhetorical question of did they learn nothing the first time? More troublesome then finding yourself as the victim of a cyber attack is finding yourself in that situation again. As the release of information by the attackers, calling themselves Guardians of Peace slowing, and the modified, but no less controversial release of the film at the heart of the attack having come and gone to earn much lower revenue figures than originally forecast, the next phase of the conversation is speculation as to the types of losses Sony is likely facing now, and likely to face in the future. To date, Sony has been named in four suits, one of which filed by two former employees in federal court alleges that Sony failed to secure its computer systems, servers and databases because Sony made a business decision to accept the risk of losses associated with being hacked. Though Sony s own emails obtained and released by the hackers seem to support the claim that their controls were lackluster and demonstrate some warnings from their IT department and others, this specific allegation begs the question of whether a company s choice to accept the financial and reputational risk associated with a cyber breach introduces a new theory of liability. If Sony s decision makers were aware of the risk but chose to assume it, does that mean that the decision makers at 97% of companies that are purportedly currently being hacked, or those that choose not to insure the financial aspect of a cyber breach are breaching their Fiduciary Duty, or failing to properly oversee their business and operations? Included in the list of suits that Sony is likely to face in the future is shareholder litigation as a result of the low revenue figures earned from the film s modified release. Sony s share price took a rather large tumble in 2011 resulting from the hacktivist attack, and though no shareholder suit followed, based on recent activity and expectations of accountability, the Board should be prepared to defend their ability to properly oversee their business and operations, even more so because of the 2011 breach. So, what is a Board to do when they can t cross their fingers and hope to be part of the 3% of companies that have somehow eluded the threat of cyber criminals to date? Despite much of the litigation against directors and officers pending, and others unsuccessfully testing various theories, it is clear that preparedness, or lack thereof, is a common theme among the suits. Boards need to take an active role in the ongoing responsibility of cyber security, which goes far beyond simply trying to prevent intrusions. Minimizing the information that can leave the organization, knowing how the company will respond once an incident occurs, and ensuring that they have taken all reasonable and appropriate measures to minimize the harm not only to the customer or individuals whose information may be at risk, but now the shareholders, too. JLT s Cyber Liability and D&O experts are well versed in this emerging exposure and welcome the opportunity to engage in additional dialogue. The C/EO team utilizes a defined, pragmatic approach in order to evaluate cyber liability exposures and craft a customized policy to meet the insured s specific needs. Part of that process includes the evaluation of ancillary policies and coverage that could be impacted in the event of a cyberattack. JLT s experienced D&O brokers work in conjunction with the attorneys in our dedicated Legal & Claims Practice and the C/EO team to conduct a gap analysis on the existing D&O program, remediate coverage deficiencies, ensure coordination between the D&O and Cyber Liability programs and maximize protection for both personal and corporate assets. If you d like to discuss how your company can coordinate and contain your cyber liability exposures among your various insurance policies or otherwise, please don t hesitate to contact the brokers at JLT Specialty.
FOR D&O INQUIRIES WILLIAM KROUPA Vice President, JLT Specialty Insurance Services, Inc. Financial Lines Group 303 589 3744 William.Kroupa@jltus.com FOR CYBER INQUIRIES SHANNON GROEBER Senior Vice President JLT Specialty Insurance Services, Inc. Cyber/E&O 215 246 3993 Shannon.Groeber@jltus.com JLT Specialty Insurance Services, Inc. Centre Square East 1500 Market Street Philadelphia, PA 19102 Tel 215.246.1600 www.jltspecialty.com Lloyd s Broker. Authorised and regulated by the Financial Conduct Authority. A member of the Jardine Lloyd Thompson Group. Registered Office: The St Botolph Building, 138 Houndsditch, London EC3A 7AW. Registered in England No. 01536540. VAT No. 244 2321 96. December 2014 xxxxxx