With each passing year, cybercrime moves further into the mainstream of public company existence. What until recently was mostly an annoying, abstract concern for a handful of companies is now a daily menace that impacts every company in every industry.

Most companies now acknowledge the risks and have implemented plans to combat them. Time will tell whether those plans will be effective as cybercrime becomes increasingly sophisticated and pervasive. Two types of protection, however, may still be lagging for some companies: cyberinsurance and cyberdisclosure.

Cyberinsurance…

A recent study by Ponemon Institute LLC, an independent research institute, reports that only 26% of respondent companies have data breach or cybersecurity insurance policies in place. (See this Doug’s Note.) Such a low percentage may have made sense back when cybercrime was still relatively rare or was limited to a narrow category of companies. Now, of course, that is no longer the case.

It is important to realize that cybersecurity breaches can impact all companies in a variety of significant ways, including for example:

• Business disruption/lost revenue
• Loss of intellectual property
• Infrastructure damage
• Reputational/brand damage
• Employee concerns
• Regulatory investigations and sanctions
• Litigation exposure
• Remediation and increased protection costs
• Management distraction
• Lower stock price

Every company should be sure that it has insurance in place to adequately cover losses it may incur from a cyberattack.

Cyberdisclosure…

Through various recent speeches and roundtables, the SEC and its staff have increasingly highlighted the importance of full disclosure regarding cybersecurity risks. In this rapidly changing, increasingly risky cyber environment, it is important to continuously revisit whether your company’s disclosures (for example, MD&A, risk factors, contingent liability financial note, legal proceedings, disclosure controls and procedures and internal control over financial reporting) fully capture its universe of cybersecurity risks.

Here are some questions every company should continually (at least quarterly) consider:

• Have you described all aspects of your business that could generate material cybersecurity risk? Is your company susceptible to undetectable breaches?
• Is your risk disclosure specific to cybersecurity, rather than simply rolled into a litany of more general disaster risks?
• Are the potential costs of a cybercrime explained?
• Are there potential material capital expenditures or liquidity issues related to technology upgrades or repairs?
• Are any key operations outsourced? If so, are there risks related to outsourcing? How are those risks being managed?
• Has a cybercrime occurred or been threatened? How was it resolved? Was it, or might it become, material?
• Have any of the company’s business partners experienced cyber events that have or might impact the company’s operations directly or indirectly?
• Are your cybersecurity risks insured? To what extent?

Note also that the SEC staff routinely monitors traditional and social media reports as part of its periodic review process. Therefore, be sure your SEC disclosures are consistent with news in the media.