The U.S. Securities and Exchange Commission (“SEC”) implemented rules governing registrants’ disclosure requirements pertaining to cybersecurity risk management, governance, and incident reporting on July 26, 2023. These rules are likely to give rise to novel issues pertaining to public companies’ insurance portfolios, in particular, directors’ and officers’ liability (“D&O”) and cyber insurance policies. This post provides a short overview of the rules and some of the insurance issues likely to arise going forward.

The SEC’s cyber security disclosure rules and increased exposure

The new rules require registrants to disclose information in three categories: (1) cybersecurity risk management; (2) cybersecurity governance; and (3) cybersecurity incident reporting.

With regard to cybersecurity risk management and governance, public companies are now required to annually report their cybersecurity risk processes and governance of risks in Form 10-K SEC. Under the cybersecurity risk management disclosure rules, registrants have to describe how they assess, identify, and manage material cybersecurity risks and whether they have materially affected or are reasonably likely to materially affect their businesses. Similarly, under the cybersecurity governance disclosure rules, registrants have to describe board oversight of cybersecurity risks and the role management plays in assessing and managing material cybersecurity risks.Continue Reading Insurance coverage implications of SEC’s cybersecurity disclosure rules

Experian Data Breach Resolution (Experian) has identified its “top data breach trends of 2020,” and the cannabis industry should take note. In its “Data Breach Industry Forecast 2020,” Experian predicts that “we will see many burgeoning industries, such as cannabis retailers, cryptocurrency entities, and even some environmental organizations targeted for cyberattacks as a result of online activism or ‘hacktivism.’”

In recognition of this risk, cannabis retailers as well as other cannabis-related businesses should – in addition to taking other prudent risk-mitigation steps – ensure that they have procured insurance to protect against potential cyber-related losses and claims. While the cyber-insurance market available to cannabis-related businesses is still rather limited, such businesses generally still can – and should – obtain at least some cyber coverage today.
Continue Reading Are you covered? Cannabis industry must prepare for cyberattacks in 2020

Since July 2017, national, regional and local businesses operating in Illinois have been hit with a virtual storm of class actions under the Illinois Biometrics Privacy Act (“BIPA”), 740 ILCS 14 et seq.  BIPA regulates how businesses may record and store biometric data from customers or employees, and these actions create the potential for significant losses, including the costs of defending class action litigation and potential awards of statutory damages. Defending, settling and paying judgments in claims under BIPA may be covered in whole or in part under cyberliability, media liability, and/or employment practices liability insurance. Businesses operating in Illinois and states with similar laws (such as Texas and Washington) should carefully review their liability insurance programs to determine whether they may respond to a claim under BIPA or a similar statute, and should provide prompt notice of claim in the event of a suit.

The Illinois BIPA requires written consent before any biometric data can be collected and stored; requires companies to develop a publicly available written policy disclosing its schedule and guidelines for its retention of, and eventual permanent destruction of, employees’ biometrics; and mandates how companies must handle biometric data once in possession. If a company fails to abide by the consent, disclosure, or handling requirements, an employee may recover the greater of either (i) actual damages, (ii) $1,000 for a negligent violation, or (iii) $5,000 for an intentional or reckless violation. Awards of plaintiffs’ attorneys’ fees and injunctive relief are also available.
Continue Reading Beware the Fine (Thumb) Print: Insurance Coverage for Class Actions Under the Illinois Biometric Information Privacy Act, and Similar Biometric Privacy Statutes

In light of the growing concern over cybersecurity, the United Stated Department of Justice (“DOJ”) issued guidance last week on how to prepare for and respond to cyber attacks.  Taking lessons learned by federal prosecutors while handling cyber investigations, and input from private sector companies that have managed cyber incidents, the guidance contains a step-by-step guide on what to do before, during and after a cyber incident.

Specifically, the DOJ recommends having a plan in place before any cyber attacks occur.  That plan should include identifying critical data and assets that warrant increased security, having the technology and services needed to respond to a cyber incident in place, having legal counsel that is familiar with legal issues associated with cyber incidents, and ensuring that your team knows who is responsible for what tasks in the event of an attack.   If an attack happens, the DOJ recommends assessing the scope of the incident and working quickly to prevent any on-going damage, collecting and preserving data related to the attack, and notifying law enforcement.  The DOJ cautions against using any systems that have been compromised and trying to “hack back” against the system involved in the attack.Continue Reading United States Department of Justice Announces “Best Practices” for Addressing Cyber Attacks

The New York Department of Financial Services (NYDFS) announced last week a series of measures it plans to take “to help strengthen cyber hacking defenses at insurers.” Those measures include, among other things: regular, targeted assessments of cyber security preparedness at insurance companies; putting forward enhanced regulations requiring institutions to meet heightened standards for cyber security; and considering the ways in which NYDFS can support and encourage the development of the cyber security insurance market. The NYDFS stated that it plans to initiate these measures in the coming weeks and months.
Continue Reading New York Department of Financial Services Announces New Cyber Security Measures Directed at Strengthening Insurers’ Cyber Defenses

Just days after news broke that ISIS hackers forced the shutdown of the U.S. Central Command’s Twitter account, President Obama met with congressional leadership, members of the Federal Trade Commission and the Department of Homeland Security to unveil a proposal to facilitate increased cooperation between the private sector and government to combat growing cybersecurity threats. Citing concerns with preserving national security, public safety and public health, the President proposed new federal cybersecurity legislation, emphasizing that although our digital economy “creates enormous opportunities,” it also “creates enormous vulnerabilities for us as a nation” that are growing and costing us billions of dollars. In remarks on Tuesday at the National Cybersecurity Communications Integration Center, the President further acknowledged the serious legal and liability issues involved with private companies sharing information with the government, and argued that his proposed legislation “includes essential safeguards to ensure that [the] government protects privacy and civil liberties” and other liability protections for companies that share information on cyber threats.
Continue Reading President Obama Acknowledges Growing Cybersecurity Threats to the Government and Economy, Proposes New Measures to Fight Cyber Risks

The evolving market for cyberliability insurance coverage reveals significant differences in the scope of coverage afforded under available policies. A coverage gap that may exist under some policies is for insider cyber attacks. While external attacks receive substantial news coverage, a recent study finds that businesses may be far less equipped to stave off attacks involving insiders: employees, vendors, suppliers and others who may have authorized access to critical or sensitive data.
Continue Reading Beware Of Gaps In Your Cyber Risk Policy – Are You Covered In the Event of an Insider Attack or Data Breach?