Two actions by the Securities and Exchange Commission this week on cybersecurity oversight -- a big enforcement settlement and an agency statement reinforcing how public companies can comply with new rules – emphasize the importance of cybersecurity insurance, brokers and lawyers said.
The SEC on Wednesday imposed a $10 million fine on The Intercontinental Exchange, the parent company of the New York Stock Exchange, for failing to report in a timely way an April 2021 cyber breach, violating a longstanding regulation requiring disclosure to the SEC.
The previous day, the director of the SEC’s Division of Corporate Finance, Erik Gerding, released a statement in which he explained how public companies can determine whether a cyberattack has a material impact on a firm and must be reported to the SEC under new rules the agency approved last summer.
The one-two punch demonstrates the SEC’s focus on cybersecurity. It also highlights the central role cyber insurance can play in helping firms avoid regulatory violations, said Tedrick Housh (pictured above, left), a partner and leader of data privacy and cybersecurity compliance at the law firm Lathrop GPM.
“It’s more important than ever,” Housh said. “How well you’re protecting against risk will be reflected in your insurance programs and your approach to cyber risk. If you’ve gone through the process of looking at [cyber insurance coverage], the more likely you are to have met the expectations of the SEC and other federal agencies who otherwise might bring enforcement actions.”
The SEC’s $10 million settlement in this week’s cybersecurity case is the latest example of increased regulatory scrutiny. It’s a trend that Jillian Raines (pictured above, center), a partner at Cohen Ziffer Frenchman & McKenna, noted in an IB interview earlier this spring.
“There has been an uptick in regulatory enforcement actions against both companies as well as their top security advisors,” Raines said. “Making sure that those folks and the companies who are employing them are adequately protected is [an area where] we’ve definitely seen more of a need.”
In his statement, the SEC’s Gerding stressed that companies must look beyond a cyberattack’s impact on their own finances and operations to determine whether it’s material. They must also assess whether the incident will harm its reputation, relationships with customers and vendors and whether it could trigger litigation or regulatory investigations.
“You should not just be looking inwardly,” said Keith Savino (pictured above, right), managing partner and national cyber practice leader at PCF Insurance Services. “What happens to you impacts others.”
Cybersecurity is a universal need that goes beyond public companies that are registered with the SEC. “The bottom line here is that every entity has a moral and ethical obligation to care for their customer data,” Savino said.
Small businesses have experienced a 22% increase in cyberattacks since 2022, the National Association of Insurance Commissioners said in a report released last November.
Any business that has customers, a bank account or holds information about any customer or client should have cybersecurity coverage, Savino said.
“An insurance agent or broker should be recommending cyber liability insurance to 100% of their commercial accounts to protect them [against] a direct or indirect cyber loss,” Savino said.
A cyber incident at one location can have ripple effects across a local economy, Savino said. For instance, an attack that damages the water supply can harm the operations of many businesses.
“Cyber liability insurance is not a vertical, it is a horizontal,” Savino said.
When companies shop for cyber insurance, they should delve into all the details.
“Diligence on the front end must be done in a way that helps a company maximize its coverage and be in the best position to protect against extreme risks,” Raines said.
Some coverage doesn’t extend, for instance, to situations where an employee inadvertently lets a hacker in by clicking on a spoofing link, essentially opening the door.
“I’ve seen many of these policies that…restrict your coverage to incidents where there is unauthorized access to a computer system,” Raines said. “I advise my clients to…do a deep dive on the coverage that you’re being issued on the front end.’
Another way to monitor what is being covered – and left uncovered – is to keep an eye on cybersecurity litigation.
“We’re seeing really novel claims being used by consumer privacy advocates and cybersecurity and watchdog organizations to try to test the new bounds of liability and corporate responsibility around AI and cybersecurity generally,” Raines said.
There’s much gray area around cybersecurity, including determining what constitutes a breach to whether it’s bad enough to warrant contacting the SEC and telling customers. But many experts say the necessity for cybersecurity insurance is becoming clearer.