Companies systematically work to identify and mitigate the key vulnerabilities they have at any given time, while understanding that they cannot eliminate all cyber risk. The "risk of regulatory enforcement" has shifted from being primarily a cybersecurity talking point. It's a growing exposure, affecting a wide range of companies — and individual employees as well.
Chief information security officers (CISOs) and other corporate cybersecurity employees are increasingly worried about being swept into claims that could expose them to personal liability. In the article Worlds Collide: Directors and Officers Liability and Cyber Insurance Policies Confront New Overlapping Issues, we wrote about the risks of personal liability that corporate officers may face in connection with cyber events. Those concerns have recently spiked as government agencies may look to target individual employees for their roles in alleged cybersecurity failures and weaknesses.
Companies continuously prioritize their cybersecurity actions and investments based on their periodic reassessments of their changing risk exposures. The popular National Institute of Standards and Technology (NIST) Cybersecurity Framework in effect treats cybersecurity as a journey during which organizations will continue to improve their readiness over time. It's a marathon, not a sprint.
Several factors, including budgetary constraints, affect how companies choose priorities along the way. Companies systematically work to identify and mitigate the key vulnerabilities they have at any given time, while understanding that they cannot eliminate all cyber risk.
The growing regulatory overhang
Various governmental agencies have sought to fill the vacuum created by the absence of a US federal cybersecurity law. Further, there's little, if any, administrative guidance to help companies comply with the evolving regulatory agency rules. As a result, it's widely expected that there will be a significant increase in new enforcement actions.
Potential insurance implications
The availability of insurance coverage can depend in significant part on the nature of the particular pleadings, at least in the early stages of a claim. The relative novelty of some of the new regulatory enforcement claims means that there is no clear precedent for assessing coverage. Insurers — and probably courts — have to draw upon policy language, underwriter intent and the expectations of the parties to the insurance contract rather than on historical guidance in making their initial coverage determinations.
In this new era of collision between Cyber and Directors and Officers (D&O) Liabilities described in the above-mentioned article Worlds Collide, it's essential that companies review their Cyber and D&O policies to know the insurance "home(s)" for these types of claims as they arise — and they will arise.
What companies should do now
Companies can take many steps to reduce their — and their employees' — potential liability from regulatory enforcement claims. Here are some suggestions:
- Perform and document periodic privacy impact assessments (required under many privacy laws) to help establish the company's priorities and support its strategic investment decisions along its cybersecurity journey.
- Confirm that all the company's public-facing statements about its cybersecurity practices, policies and history are aligned, consistent and accurately reflect the company's actual behavior and experience with cyber events. Consider that disclosures that appear to discuss cyber risks hypothetically may be viewed by regulators as materially misleading if the company has in fact been affected by prior or ongoing cyber incidents.
- Coordinate communications across all departments internally and collaborate to ensure that messages externally across all media outlets, regardless of medium, are consistent.
- Establish robust disclosure controls and processes with the participation of cybersecurity experts, IT personnel, internal legal departments and outside counsel.
- Conduct vigorous due diligence on third-party service providers, because a cyber event against a service provider often means increased vulnerability for that service provider's customers.
- Keep boards of directors informed of management's cybersecurity priorities, the timelines for remediation and budgetary constraints.
- Document the cyber remediation activities NOT being undertaken currently and the reasons for the inaction (for example, a focus on higher-priority actions for strengthening the company's cybersecurity, or budgetary constraints). Share this information with the board, so that directors will understand the risks and the remediation roadmap.
- The legal, security and IT departments should work together to manage the ways in which sensitive cybersecurity matters — including perceived vulnerabilities at any given point in time — are communicated, documented and reported.
- Clarify how and to what extent CISOs or other cybersecurity officers should address and document intra- and inter-departmental communications about cyber vulnerabilities and priorities in their reports to management and the board. Companies should expect that internal communications might become public by way of compelled disclosure via enforcement action or other litigation.
- Although CISOs may not be in a position to assess the materiality of particular cyber incidents, they may be helpful in determining if the incidents reveal significant vulnerabilities that should be taken into account in crafting the company's public disclosures. Accordingly, consider giving the CISO a defined role in the disclosure process for company filings.
- Update cyber incident response plans to address the ways in which cyber incidents are to be reported and escalated; require that cyber incident response plans provide for timely and efficient communication and collaboration across all appropriate departments of the company.
- Incorporate materiality considerations and determinations into cyber incident response plans, and ensure that cyber incident response plans provide for timely and efficient cross-department communication and collaboration to aid in this process.
- Ensure that all relevant employee positions are included as Insureds in D&O policies.
- Review both D&O and Cyber insurance policies to assess potential coverage grants or restrictions that may arise from unconventional claims.
- Consider alternative strategies with your insurance broker and lawyers for responding to ambiguous policy wording and the coverage gaps they may create.
- As always, when legal questions arise, seek guidance from counsel.
What to expect in 2024
Regulators will continue to focus on the cyber realm, with effects likely to be felt in D&O and Cyber insurance as well as on corporate risk management. The absence of settled and tested standards or administrative guidance will likely cause considerable uncertainty and concern among companies, board directors, the C-Suite, and CISOs.
Companies' principal focus should remain on strengthening their cybersecurity defenses. Rather than waiting and watching, companies should undertake comprehensive reviews of their cyber and disclosure practices and processes — and strengthen them to help protect themselves and their employees from costly threats to their balance sheets and reputations.
We strongly encourage our clients to engage internal and external resources for the large task ahead of them as the worlds of Cyber insurance and D&O continue to collide.