Will SEC Guidance Awaken Private Companies To Cyber Insurance Needs?

The following article was first published in Advisen's inaugural as my first regular column. The second Journal was published on 15 June and is available from Advisen at http://corner.advisen.com/journals.html (here). I will republish my second column in the coming days.

Many who underwrite or broker insurance, or practice law in the cyber/technology/privacy ("CTP") realm migrated to this emerging area from the directors and officers liability regime. At the same time, it did not take a crystal ball to recognize that it was only a matter of time before CTP and D&O found a commonality. And that time is now.

Virtually every public and private company is reliant on computer networks and electronic data. It's a way of life in the 21st Century. And there's no going back. Yet with reliance comes risk. It seems we read about significant CTP breaches involving large, multinational companies almost on a weekly basis. CTP breaches have become a well-recognized risk of doing business. Estimates project that over 10 percent of us already have been hacked or had their identities stolen. I am among them.

In light of the growing frequency—and severity—of such breaches (whether by hackers, hacktivists, foreign governments, teenagers or simple thrill-seekers), legislators and regulators alike are taking a much harder look at CTP risks and exposures. There have already been securities fraud lawsuits arising from alleged CTP events.

In one case,In re: Heartland Payment Systems (D.N.J. Dec. 07, 2009), a motion to dismiss was granted where the court found that the existence of unresolved network security issues did not, in itself, suggest that the defendants did not value data security or that it did not maintain a high level of security. The court further found that while knowledge of a prior cyber attack may have been material to plaintiffs' investment decisions, securities issuers have no general duty to disclose every material fact to investors. (See related textbox, "D&O, Cyber Intersect: The First Case," for background on the Heartland securities class action.)

More recently, the well-publicized securities fraud class action lawsuits against News Corp. arising from the London hacking scandal provides another example of what likely will become a growing trend of D&O litigation involving CTP issues.

Thus, it should be no surprise that on October 13, 2011, the SEC's Division of Corporate Finance (DCF) issued a Disclosure Guidance identifying the types of...