SEC Presses on Cybersecurity, Increases Importance of Insurance Lines

Two actions taken by the Securities and Exchange Commission this week regarding cybersecurity oversight — a major enforcement settlement and a statement from the agency tightening how publicly traded companies comply with new rules — underscore the importance of cybersecurity insurance, brokers and lawyers said.

The SEC on Wednesday fined Intercontinental Exchange Inc., the parent company of the New York Stock Exchange, $10 million for failing to timely report an April 2021 cyber breach, a violation of long-standing rules requiring disclosure to the SEC.

The previous day, Eric Gerding, director of the SEC's Division of Corporation Finance, issued a statement explaining how public companies can determine whether a cyberattack has had a material impact on their company and whether they are required to report it to the SEC, under new rules the SEC approved last summer.

This one-two punch signals the SEC's focus on cybersecurity and also highlights the central role that cyber insurance plays in helping companies avoid regulatory violations, said Tedrick Housh (pictured above, left), partner and leader of data privacy and cybersecurity compliance at law firm Lathrop GPM.

“It’s more important than ever,” Hausch said. “How well you protect against risk is reflected in your insurance program and your approach to cyber risk. [cyber insurance coverage]This will increase the likelihood that the SEC or other federal agencies will take enforcement action and meet expectations.”

Increased regulatory oversight

The SEC's $10 million settlement in a cybersecurity lawsuit this week is the latest example of increased regulatory scrutiny, a trend that Cohen, Ziffer, Frenchman & McKenna partner Gillian Rains (pictured center) noted in an IB interview this spring.

“We've seen an increase in regulatory enforcement actions against both companies and their top security advisers,” Raines said. “Ensuring that these people and the companies that employ them are adequately protected is crucial.” [an area where] We've definitely seen a need for more.”

In a statement, the SEC's Gerding emphasized that companies need to determine whether a cyberattack is material beyond its financial and operational impact. Companies also need to evaluate whether the incident could adversely affect their reputation, relationships with customers or vendors, or give rise to litigation or regulatory investigations.

“Don't just think about yourself,” says Keith Savino (pictured right), managing partner and national cyber practice leader at PCF Insurance Services. “What happens to you affects other people.”

Small businesses need cyber insurance

Cybersecurity is a universal need, not just for publicly traded companies registered with the SEC. “The bottom line is that all organizations have a moral and ethical obligation to protect customer data,” Savino said.

A report released last November by the National Association of Insurance Commissioners said small businesses will experience a 22% increase in cyber attacks from 2022 onwards.

Savino said companies that have customers, bank accounts and hold information about their customers or clients should have cybersecurity coverage.

“Insurance agents and brokers should recommend cyber liability insurance to 100% of their commercial clients to protect them. [against] “Cyber ​​losses, either direct or indirect,” Savino said.

Savino said a cyber incident in one place can have a ripple effect throughout the local economy: An attack damaging water supplies, for example, could harm the operations of many businesses.

“Cyber ​​liability insurance is horizontal, not vertical,” Savino said.

Digging into policy details

When a business purchases cyber insurance, it is important to closely examine every detail.

“Forewarned, diligence needs to be done to ensure companies are in the best position to maximize their coverage and protect themselves against extreme risk,” Rains said.

For example, coverage may not cover a situation where an employee inadvertently clicks on a spoofed link, essentially opening the door for hackers to get in.

“I've seen many policies that limit coverage to cases where there is unauthorized access to computer systems,” Rains says, “and I always advise my clients to thoroughly research the initial coverage they are offered.”

Another way to monitor what is and isn’t covered is to look at cybersecurity litigation.

“We're seeing some really novel arguments being made by consumer privacy advocates and cybersecurity watchdogs to test the boundaries of new responsibilities and corporate liability around AI and cybersecurity in general,” Rains said.

There are a lot of gray areas when it comes to cybersecurity, including what constitutes a breach and whether it's egregious enough to call the SEC and tell your customers, but many experts say the need for cybersecurity insurance is becoming clear.