SEC Tightens Cybersecurity and Increases Importance of Insurance Division | Insurance business America
“An insurance agent or broker should recommend cyber insurance for 100% of their business accounts.”
Cyber
By Mark Schoeff Jr.
Two actions by the Securities and Exchange Commission this week to monitor cybersecurity — a major enforcement settlement and a statement from the agency reaffirming how public companies can comply with new rules — underscore the importance of cybersecurity insurance, brokers and lawyers said.
The SEC on Wednesday fined The Intercontinental Exchange, the parent company of the New York Stock Exchange, $10 million for failing to timely report a cyber breach in April 2021, violating a long-standing rule requiring disclosure to the SEC.
The day before, the director of the SEC’s Division of Corporate Finance, Erik Gerding, released a statement explaining how publicly traded companies can determine whether a cyberattack has a material impact on a company and must be reported under new rules the agency has approved last summer.
The one-two win shows the SEC’s focus on cybersecurity. It also underscores the pivotal role cyber insurance can play in helping companies avoid regulatory violations, said Tedrick Housh (pictured above, left), partner and head of privacy and cybersecurity compliance at law firm Lathrop GPM .
“It’s more important than ever,” Housh said. “How well you protect yourself from risk will be reflected in your insurance programs and how you deal with cyber risks. Once you’ve gone through the process of viewing [cyber insurance coverage]the more likely you are to have met the expectations of the SEC and other federal agencies that might otherwise take enforcement action.”
Increased regulatory control
The SEC’s $10 million settlement in this week’s cybersecurity case is the latest example of increased regulatory scrutiny. It’s a trend that Jillian Raines (pictured above, center), partner at Cohen Zahl Frenchman & McKenna, noted in an IB interview earlier this spring.
“There has been an increase in regulatory enforcement actions against both companies and their leading security consultants,” Raines said. “It is important to ensure that people and the companies that employ them are adequately protected.” [an area where] We definitely saw a greater need.”
In his statement, the SEC’s Gerding emphasized that companies must look beyond the impact of a cyberattack on their own finances and operations to determine whether it is material. They must also assess whether the incident will damage the company’s reputation, relationships with customers and suppliers, and whether it could trigger litigation or regulatory investigations.
“You shouldn’t just look inward,” said Keith Savino (pictured above right), managing partner and national cyber practice leader at PCF Insurance Services. “What happens to you affects others.”
Small businesses need cyber coverage
Cybersecurity is a universal need that extends beyond publicly traded companies registered with the SEC. “The bottom line here is that every company has a moral and ethical obligation to take care of their customer data,” Savino said.
Small businesses have experienced a 22% increase in cyberattacks since 2022, the National Association of Insurance Commissioners said in a report released last November.
Any company that has customers, a bank account, or information about customers or clients should have cybersecurity protection in place, Savino said.
“An insurance agent or broker should recommend cyber liability insurance on 100% of their business accounts to protect them [against] a direct or indirect cyber harm,” Savino said.
A cyber incident in one location can have far-reaching impacts throughout the local economy, Savino said. For example, an attack that damages water supplies can impact the operations of many businesses.
“Cyber liability insurance is not a vertical, but a horizontal,” Savino said.
Dive into the details of the policy
When purchasing cyber insurance, companies should consider all the details.
“Front-end due diligence must be done in such a way that a company maximizes its insurance coverage and can best protect itself against extreme risks,” Raines said.
For example, some coverage does not extend to situations where an employee accidentally lets a hacker in by clicking on a spoofing link, essentially opening the door.
“I’ve seen a lot of these policies that … limit your insurance coverage to incidents that involve unauthorized access to a computer system,” Raines said. “I advise my clients to research the coverage they are offered up front.”
Another way to monitor what is covered – and left uncovered – is to keep an eye on cybersecurity litigation.
“We are seeing consumer protection advocates and cybersecurity and watchdog organizations using truly novel claims to test the new frontiers of liability and corporate responsibility around AI and cybersecurity in general,” Raines said.
There are many gray areas in cybersecurity, including determining what constitutes a breach and whether it is bad enough to warrant contacting the SEC and notifying customers. However, many experts say the need for cybersecurity insurance is becoming clearer.
similar posts
Stay up to date with the latest news and events
Join our mailing list, it’s free!
Source link
2024-05-24 15:33:51
www.insurancebusinessmag.com
