US Cybersecurity update

As you may know, the Lloyd’s 2013 Risk Index highlighted cybersecurity as one of the Top 5 Risks identified by companies, preceded only by concerns over high taxation and loss of customers for major corporations.

A 2013 Cybersecurity Executive Order (EO) issued by United States President Barack Obama, along with associated actions by US state governments, as well as foreign governments, have an impact on the nature in which cybersecurity issues affect policyholders. These actions involve a wide swath of sectors including, but not limited to, the 16 Critical Infrastructure (CI) sectors identified by the Obama Administration, publicly traded companies, companies with an online presence (such as a retailer, hotel etc) and state/local governments that have personally identifiable information (PII).

(NOTE: CI sectors are designated in Presidential Policy Directive (PPD-21) Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; Water and Wastewater Systems).

Summary of Issues

Cybersecurity is a prevalent and ongoing area of concern that is the subject of debate and discussion by the Obama Administration, US state governments and foreign governments around the world. Major threat actors include nation states, “hacktivists,” insider threats (those found within corporations, such as employees, contractors, etc) and criminals. As a result, the Obama Administration has focused on the economic and national security impacts of these attacks on the US as a result of a catastrophic cyber-attack. Just as important, cybersecurity attacks also result in the loss of intellectual property, reputational harm and broader, cascading impacts on the global economy.

Background

The EO directed the US Departments of Homeland Security and Commerce/the National Institute of Standards and Technology to work with the private sector to create a voluntary Cybersecurity Framework as a means to help companies address and mitigate cyber risks. On February 12, 2014, the White House unveiled a Cybersecurity Framework 1.0 (Framework). The Framework makes a number of critical points including: 

1. All Boards and Directors, along with executives in their respective companies, are expected to be aware of the cyber risks their companies face and to participate in the information flow and decision making within the company. The Framework lays out a structure that states: “The executive level communicates the mission priorities, available resources and overall risk tolerance to the business/process level. The business/process level uses the information as inputs into the risk management process, and then collaborates with the implementation/operations level to communicate business needs and create a profile.”
2. The Framework makes clear that every company needs to address cyber risk regardless of its size and/or level of “cyber sophistication.”
3. It also clearly states an expectation that companies will work within their own supply chains to address these risks with their suppliers.
4. The Framework is not limited to the 16 current designated CI sectors, it applies to all companies—retail institutions, universities, those that are publicly traded entities that include personally identifiable information (PII), etc.

Impact on Lloyd's

Cybersecurity attacks are on the rise and are almost a daily occurrence. While the recently issued Framework is a voluntary program, there a number of other risk factors that affect the Lloyd's market including:

1. Directors and Officers Insurance (D&O)
   • Issuance of Cybersecurity Framework and Implementation:
     Compliance with the Framework and its implementation through voluntary corporate governance compliance, US state law, or other regulatory or legal requirements may give rise to a new standard of corporate conduct and care. The Framework makes clear that all Boards and Directors should be fully aware and engaged in the cyber risks their companies face and to participate in the information flow and decision making within the company. Consequently, a cyber-attack against a corporation may result in a securities class action brought against the corporation and its directors and officers for harm caused to shareholders by the directors’ and officers’ failure to comply with the standard of conduct set forth in the Framework and related regulations or laws. Accordingly, review of current D&O policy wordings and related reinsurance wordings is essential to address the potential risks that may arise out of cyber-attacks or even just the failure to comply with the Framework. Coverage grants and exclusions should be reviewed and consideration should be given to whether additional language is required to address potential exposures arising from the alleged failure to comply with the Framework.
   • Potential New Securities and Exchange Commission (SEC) Requirements:
     The SEC has been ramping up its oversight of cyber risk by “spot checking” companies’ filings and the Chair has been clear this is a priority. On March 26th, the SEC held a cyber roundtable to discuss cyber disclosure issues and the direction the SEC takes should be closely watched. Investigations and ultimate actions by the SEC are typically followed by shareholder class actions against corporations and their directors and officers. A review should be taken as to whether policy wordings provide coverage for SEC investigations surrounding cyber issues is advisable.
   • Potential New Federal Trade Commission (FTC) Authorities:
     The FTC has initiated enforcement actions and litigation against a host of entities, including Wyndham Hotels. The commission claims Wyndham’s failure to protect its own networks caused fraudulent charges to consumers accounts, stating “… the repeated security failures exposed consumers’ personal data to unauthorized access.” While Wyndham Hotels has attempted to have the case dismissed, it has been unsuccessful. If the FTC wins this case, it will potentially open the door to other, more widespread litigation and additional liability concerns for companies as a result. This implicates D&O coverage as well as potential coverage under Commercial General Liability (CGL), Fidelity and Blanket Crime policies. 
   • Potential New Cybersecurity and Data Breach Legislation:
     Recent data breaches of customer records at two large US retailers, Target and Neiman Marcus, have prompted the US Congress to debate a host of new data breach/security bills that could either establish a federal preemption over existing state data breach/security laws or be an additional overlay on top of individual state laws. These laws, if enacted, could affect D&O, CGL, Property, Professional Liability, E&O, Fidelity/Blanket Crime and Cyber-liability wordings.
2. Other Policies
   • Fidelity, Property, Commercial General Liability, and Business Continuity:
     As mentioned above, numerous other policy wordings and related reinsurance wordings may need to be examined in light of the Framework and any corporate policies, laws or regulations implementing the Framework. Besides D&O covers, Fidelity and Blanket Crime, Property, CGL, Professional Liability, Errors & Omissions (including Broker Liability), Business Interruption and related covers and of course Cyber liability should be reviewed for potential modification or clarification of coverage grants and/or exclusions. Whether the Framework and/or its progeny will be seen as creating a new standard of care and conduct is the key issue for expanded liability.
   • Cybersecurity Threats and Impacts on Current Policies:
     Cyber- attacks can come from a host of threat actors like nation states, hacktivists and insider threats to a company. The public nature of almost daily cyber-attacks, the issuance of the Framework and the awareness of the added risk of intellectual property loss, reputational harm, physical destruction and the like suggest a need to review existing policy wordings and related reinsurance covers as described above. Consistency between coverage grants and exclusions on corporate insurance programs is especially important to avoid coverage gaps for policyholders and additional liability for the Lloyd's market.

Please contact the LITA team for more information

Lloyd's International Trading Advice

Primary point of contact for advice and information on Lloyd's trading status worldwide.