Insurance Law

Public Companies Must Disclose Cyber-Liability Risks

By Rene Siemens and David Beck, Attorneys, Pillsbury Winthrop Shaw Pittman LLP

If you thought you did not need cyber insurance before, Uncle Sam may cause you to think otherwise.  On October 13, 2011, the Securities and Exchange Commission ("SEC") Division of Corporation Finance issued guidance on disclosure obligations relating to cyber security risks and incidents.  The guidance, which is based on existing disclosure requirements and is effective immediately, emphasizes the need for SEC registrants to provide "timely, comprehensive, and accurate information about [cyber] risks and events that a reasonable investor would consider important to an investment decision."

The required disclosures highlighted by the SEC include:

1)    Risk factors relating to a potential cyber incident, including known or threatened attacks;

2)    Costs or other consequences associated with known cyber incidents or the risk of potential incidents, where such costs represent a material event, through disclosure in the Management Discussion and Analysis section of the registrant's annual report;

3)    Cyber incidents that materially affect a registrant's products, services, or relationships with customers and suppliers;

4)    Material legal proceedings involving cyber incidents; and

5)    Any material impact of cyber security, both pre- and post-incident, on the registrant's financial statements.

Failure to make the above disclosures could subject registrants to various consequences, including SEC enforcement actions or lawsuits brought by shareholders.

The new SEC guidance provides yet another reason for companies that handle sensitive information to insure themselves against data security and privacy claims.  Indeed, the SEC expressly notes insurance coverage as one of the relevant factors to be considered in assessing a company's potential cyber liability risk.  In recent years, a large market has evolved for insurance that is specifically designed to cover these risks - marketed under names like "privacy breach insurance," "network security insurance," and "cyber-liability insurance."  This insurance provides both first and third-party coverage for loss associated with a cyber security incident, and includes coverage for costs such as restoring damaged data, responding to regulatory investigations, defense and indemnification against lawsuits arising out of cyber incidents, and loss of revenue for business interruption caused by a data security breach.  While traditional insurance may cover some of these risks too, this new coverage should be seriously considered by any company-whether a registrant with the SEC or not-handling sensitive information.

In procuring cyber insurance, it is important to note that one size does not fit all.  Every insurance company has its own unique policy forms, terms, and exclusions.  Therefore, it is important to consult with an attorney or other professional familiar with the coverages available and the needs of your business so as to ensure that you do not purchase coverages that you do not need or are inadequate.

Pillsbury offers an cyber insurance policy review program-Data Security Plus-to provide our clients with the critical assistance they need to obtain "state-of-the-art" coverage for data security and privacy breaches.  Our team brings market knowledge, up-to-date understanding of evolving insurance case law, and effective advocacy to bear during the placement process to alert you to critical deficiencies in the policy forms you are offered and to negotiate improvements to coverage, including drafting and negotiating manuscripted policy wordings and modifying policies to address recent legal developments.

For more information about LexisNexis products and solutions connect with us through our corporate site.