If you thought you did not need cyber insurance before, Uncle Sam may cause you to think otherwise. On October 13, 2011, the Securities and Exchange Commission (SEC) Division of Corporation Finance issued guidance on disclosure obligations relating to cyber security risks and incidents. The guidance, which is based on existing disclosure requirements and is effective immediately, emphasizes the need for SEC registrants to provide "timely, comprehensive, and accurate information about [cyber] risks and events that a reasonable investor would consider important to an investment decision."
The required disclosures highlighted by the SEC include:
1. Risk factors relating to a potential cyber incident, including known or threatened attacks
2. Costs or other consequences associated with known cyber incidents or the risk of potential incidents, where such costs represent a material event, through disclosure in the Management Discussion and Analysis section of the registrant's annual report
3. Cyber incidents that materially affect a registrant's products, services, or relationships with customers and suppliers
4. Material legal proceedings involving cyber incidents
5. Any material impact of cyber security, both pre- and post-incident, on the registrant's financial statements
Failure to make the above disclosures could subject registrants to various consequences, including SEC enforcement actions or lawsuits brought by shareholders.
The new SEC guidance provides yet another reason for companies that handle sensitive information to insure themselves against data security and privacy claims. Indeed, the SEC expressly notes insurance coverage as one of the relevant factors to be considered in assessing a company's potential cyber-liability risk. In recent years, a large market has evolved for insurance that is specifically designed to cover these risks—marketed under names like "privacy breach insurance," "network security insurance" and "cyber-liability insurance." This insurance provides both first- and third-party coverage for loss associated with a cyber security incident and includes coverage for costs such as restoring damaged data, responding to regulatory investigations, defense and indemnification against lawsuits arising out of cyber incidents, and loss of revenue for business interruption caused by a data security breach. While traditional insurance may cover some of these risks too, this new coverage should be seriously considered by any company—whether a registrant with the SEC or not—handling sensitive information.
In procuring cyber insurance, it is important to note that one size does not fit all. Every insurance company has its own unique policy forms, terms and exclusions. Therefore, it is important to consult with an attorney or other professional familiar with the coverages available and the needs of your business so as to ensure that you do not purchase coverages that you do not need or are inadequate.