Corporate board directors need to be aware of risk of data breaches in light of regulatory guidance on disclosing cyber threats

U.S. board directors need to be acutely aware of the risk of data breaches at their companies in light of recent regulatory guidance on disclosing cyber threats, according to speakers at a Willis-hosted cyber liability conference in London.

The U.S. Securities Exchange Commission (SEC) issued guidance on disclosing cyberthreats in October 2011.

“The SEC guidance is a useful wake-up call to the risks of data breaches for boards everywhere but [boards] now have a delicate balancing act,” Francis Kean of Willis Group Holdings told the audience on Mar. 13. “The problem with exposing cyber breaches is you don’t want to provide a route map to hackers or potential plaintiffs down the road, but you also don’t want to expose yourself to a shareholder class action.”

Kean stressed the need for boards to better understand emerging cyber threats.

“There is a whole universe of potential cyber risk not understood at a board level,” he said. “Their fiduciary duties require them to gain some understanding of the cyber threat faced by their companies and to ensure adequate and proportionate procedures are adopted to mitigate the consequences of a serious data breach.”

The SEC guidance was issued to address concerns that investors could not assess security risks properly if companies failed to disclose data breaches in their public findings.

Some of the SEC’s expectations about disclosure call for specifics: “A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context,” the SEC guidance says.

“For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur.

“Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.”

At another panel at the event, Jeremy Smith, Willis’ cyber liabilities practice leader, discussed the development of cyber liability insurance.

“The convergence of cyber coverage in recent years was largely due to a lack of sophisticated claims data and significant increases in cyber crime,” Smith said.

Now, however, Smith observed that brokers are now pushing for further innovation from the market and have managed to secure additional coverage for PCI fines, third party vendors and terrorism.

Also, advanced persistent threats (APTs), such as the Aurora virus and Nightdragon, are the next challenge for the insurance industry according to Smith. “APTs are sustained attacks designed to steal intellectual property over a number of years. The insurance industry hasn’t fully tackled this threat yet, but I hope that brokers and insurers will find a solution together in the future.” he said.