Cyber security and related privacy issues increasingly
dominate the headlines. And for good reason: according to statistics cited in a
Wall Street Journal article, cyber attacks --ranging from
malicious software to denial of service attacks - increased 42% in 2012. The
trend has only accelerated in 2013. As the possibility and potential scope of
these types of attacks increases, these issues represent an increasing
challenge for all companies and their management - and increasingly, their
boards, as well.
The banking industry is the latest to receive the
emphatic message that companies need to be taking steps to protect against
cyber threats. According to a June 14, 2013 Wall Street Journal article
entitled "A Call to Arms for Banks" (here),
regulators are "stepping up calls for banks to better-arm themselves against
the growing online threat that hackers and criminal organizations pose."
Regulators are increasingly concerned about attacks that might not only disrupt
an individual bank but also the entire financial system.
Among other things, the Journal article reports
that the OCC recently hosted a call with more than 1,000 community bankers
"warning that cyber attacks are on the rise - particularly among small banks -
as the number of potential targets expands." Among other things, the banks were
advised that they will be "judged on their preparation against cyber attacks
when examiners gauge a bank's operational risk."
The message from regulators is not only that they expect
the regulated institutions to take steps to guard against cyber exposures, but
that the institutions will be held accountable for their shortcomings in this
area. The expectations and the accountability are not limited just to the
banking sector. According to the Journal article, last year the FTC
filed a lawsuit against Wyndham Worldwide Corp. alleging that the hotel chain
"failed to protect the credit-card information of its consumers." (For those
readers who may be interested, the FTC's complaint in the action against
Wyndham can be found here.
Yet another recent Journal article underscored the
extent to which cyber exposure involves companies in many industries. In a
disturbing June 13, 2013 article entitled "Patients Put at Risk by Computer
the Wall Street Journal reported the apparently increasing risk that
medical devices could be infected with viruses or malware that could impair the
devices' function or expose potentially sensitive patient information by
sending it to outside servers. The article cites several examples including an
instance where in infected radiology device was sending mammography information
to outside servers, including patent names, records of procedures and X-ray
These latter examples underscore how extensive and
dispersed cyber threats have become in an era where devices are increasingly
interconnected. Moreover, it is clear that regulators (among others) expect
companies to take steps to protect against cyber exposures - and that
regulators intend to hold companies accountable.
Given the extent of the operational and reputational risk
that cyber exposures represent, these issues should be a priority topic for
company managers - and for company boards. As on any other critical topic,
directors should be asking questions and demanding accountability. This
is going to be particularly true for companies whose products might be involved
in the kinds of cyber incidents described in the Journal article about
infiltrated medical devices.
In this environment, directors should be asking the
questions to determine what steps their company is taking to assess and to
protect against cyber exposures. One particular question directors should be
asking their senior managers is what steps the company has taken to put
insurance in place to protect against the problems that can arise when cyber
In the guidance
that the SEC recently provided companies with respect to cyber-related
disclosures, one item the SEC specifically emphasized that companies should be
disclosing with respect to their potential cyber exposures is a "description of
relevant insurance coverage." Behind this disclosure requirement is the
implicit assumption that companies will have insurance in place to respond to
cyber incidents. With regulators bearing down on these issues and even filing
regulatory actions, it is a matter of simple prudence for companies to have
insurance in place designed to address these risks.
For that reason, as part of their overall assessment of
these issues, directors will want to ask company management what insurance the
company has in place to protect their company from loss arising from
cyber-related exposures. In particular, because traditional insurance alone is
not sufficient to protect against these risks, directors should determine that
the company has a cyber liability insurance policy in place that provides
protection against both first party costs (such as forensic IT services,
notification costs, call center costs, and credit monitoring services) and
third -party costs (such as might arise in a third-party liability lawsuit.
A good introductory summary to the limitations of
traditional insurance and the need for the specialized cyber liability
insurance to protect against these risks can be in a two part series by Roberta Anderson of the
K&L Gates law firm entitled "Insurance Coverage for Cyber Attacks, " which
can be found here
ICYMI: SEC Make Second Whistleblower Award: On
June 12, 2013, the SEC made its second award under the Dodd-Frank whistleblower
provisions. Under the provisions, whistleblowers whose tips to the SEC lead to
enforcement judgments and awards over $1 million are potentially eligible for
an award of from 10 to 30 percent of the sanctions. As reflected here, the SEC made
its first award on August 21, 2012.
In a June 12, 2013 order in a Whistleblower Award
the SEC determined that each of three whistleblowers is to receive an award of
five percent of monetary sanctions collected. The three unnamed individuals had
"voluntarily provided original information to the Commission that led to the
successful enforcement" of an action against Audrey C. Hicks and Locust
Offshore Management. (The SEC denied a whistleblower bounty award to a fourth
person). In the enforcement action, which resulted in disgorgement and
penalties total about $7.5 million, the SEC alleged that the defendants had
sold shares in a fictitious offshore fund. The SEC's press release announcing
the award can be found here.
Even though the recent award was relatively modest and is
only the second so far under the Dodd-Frank whistleblower provisions, observers
believe the award indicates further awards will soon be forthcoming. Indeed, as
reported in Bruce Carton's June 12, 2012 Compliance Week article (here),
the SEC official in charge of the agency's whistleblower program recently told
an industry conference that in the coming months the whistleblower program will
produce "incredibly impactful cases" with "some extremely significant
Upcoming Securities Litigation Webinar: On
Wednesday June 19, 2013, at 2:00 am EDT, Financial Recoveries Technologies will
be hosting a webinar entitled "The Evolving Securities Class Action Industry."
This free webinar will address the legal environment affecting class actions,
fiduciary obligations for asset managers and standards in the claim filing
industry. Speakers will include Boston University Law Professor David
Webber, who recently posted an interesting
article entitled "Institutional Investor Lead Plaintiffs in Mergers and
Acquisitions Litigation" on the Harvard Law School Forum on Corporate
Governance and Financial Regulation. The webinar panel will also include
our good friend Adam Savett,
who is CEO and Founder of TXT Capital. Registration Information for the webinar
can be found here.
other items of interest from the world of directors & officers liability,
with occasional commentary, at the D&O Diary, a blog by Kevin LaCroix.
For more information about LexisNexis
products and solutions connect with us through our corporate site.