Each week brings a barrage of cyberattack headlines. In late 2018, Marriott announced the theft of almost 500 million customers’ personal data. Marriott was not alone — one recent survey suggests that nearly three in five companies were hit by one or more attacks in 2018. Increased regulatory scrutiny and shareholder litigation following cyber events pose a greater threat than ever to a company’s reputation and balance sheet. As data breaches grow in scope and cost, officers and directors, who ultimately are responsible for the organization’s survival, must emphasize appropriate insurance coverage for themselves.
A Wake-Up Call from Regulators and Shareholders
It is practically given that regulators and angry shareholders will point fingers at senior management following a significant data incident. A patchwork federal, state and international framework makes navigating the cyber regulatory landscape challenging. Many federal agencies, including the Securities and Exchange Commission, Federal Trade Commission and the National Association of Corporate Directors, publish best practices and set requirements for companies to identify vulnerabilities, secure data, and respond to breaches. In 2018, the SEC issued guidance regarding public company disclosures about material, known cyber risks or uncertainties. A board must fully inform itself and make reasonable decisions about disclosures it ought to make or face liability. At least 35 states introduced over 250 cyber-related bills in 2018.