As recent events have shown, the pace and scale of cyberattacks continue to grow, as do the financial stakes—revenue losses, recovery expenses, liability costs, and potentially severe regulatory fines are all consequences facing companies. The specter of 2017’s NotPetya event, the most devastating cyber event in history, continues to haunt business leaders: the malware caused more than $10 billion in economic damages and disrupted business operations, production, and logistics for major global firms. The insured losses from that attack alone have been estimated at more than $3 billion.
Incidents such as these are forcing companies to make cyber risk a corporate priority. In the recently released Global Risks Report 2019, those in advanced economies again rank cyberattacks among their top risk concerns. That recognition has evolved from viewing cyber risk as a problem to be solved by spending more on technology to seeing it as a risk that must be actively managed across many areas of the company. That shift in mindset has brought cyber insurance into the overall equation of how a firm manages its technology risk.
But cyber risk is an increasing concern not just for c-suites
and boards: regulators also are more actively looking at how organizations
address cyber risks and how they manage their responsibilities to key
stakeholders. So even as the financial costs of cyber threats grow, the
regulatory stakes are likewise poised to rise as more regulators—and particularly
the US Securities and Exchange Commission (SEC)—begin to impose stricter
requirements on businesses.
These two trends—the increasing adoption of insurance to transfer cyber risk and a more rigorous regulatory approach to cyber-risk management—dovetail in numerous ways. Many of the new regulatory requirements and guidance around cyber-risk assessment, prevention, and management, executive and board-level ownership, and event disclosure and response, are the same practices that should inform an organization’s decision-making around cyber insurance investment. These same best practices are what underwriters increasingly expect and value.
The SEC Strengthens Its
Cybersecurity has been on the SEC’s agenda for several years. In 2011, the commission’s Division of Corporation Finance issued guidance calling on companies to assess their disclosure obligations regarding their cybersecurity risks and cyber incidents.
While a good starting point, the guidance did not go far enough in setting clear expectations for both proactive and reactive cyber-risk management and oversight. The SEC’s 2018 interpretative guidance outlines requirements for publicly traded companies to disclose cybersecurity risks and material incidents.
The SEC guidance focuses on five main areas:
disclosure. The guidance calls for transparency around the identification,
quantification, and management of cyber risks by the C-suite and oversight by
the board of directors. Often, growth in technology and the global operating
environment impede 360-degree visibility into a company’s vulnerable spots, with
lack of data contributing to compromised security.
- Board oversight. The board is expected to
understand, quantify, and oversee cyber risk. The SEC advises companies to
disclose in their proxy statement the board’s role and engagement in cyber-risk
oversight. Board members have to be privy to and understand the
company’s overall cybersecurity exposure, with a particular focus on the impact
on the company’s financial condition, integrating this insight into their
360-degree view of the company’s risks.
disclosure. Companies are required to “inform investors about material
cybersecurity risks and incidents in a timely fashion.” To do so, companies must
have structures in place to identify and quantify cyber risk—tools that allow
the organization to rapidly determine whether the impact of a compromised
system was, in fact, material and requires disclosure to regulators and
and procedures. The guidance also tasks companies with assessing whether
their enterprise risk management (ERM) process is sufficient to safeguard the
organization from cyberdisasters. This requires a step-by-step playbook for
cyberevents, including identifying who needs to be contacted and how and with
whom the business will share information about a breach. Given the evolving
nature of cyber risk, ongoing due diligence exercises should occur to identify
and manage new risks—especially during a merger or acquisition. Most companies
have long done this for other perils such as natural disasters, and it is
imperative they extend this process to cyber risk.
trading. New to the 2018 guidance is a reminder to companies, directors,
officers, and other parties of insider trading prohibitions. In practice, this
means that directors, officers, and other executives who are aware of a
company’s cybervulnerabilities or a breach could be liable if they sell company
stock, or instruct anyone else to do so, before such a breach or vulnerability
The cost of non-compliance can be substantial. Last year the SEC leveled a $35 million penalty against a large technology company it said misled investors when the company failed to disclose the theft of the personal data from hundreds of millions of user accounts.
Congress, which holds the SEC’s purse strings, is placing mounting pressure on the agency to improve cybersecurity, and private investors are also pressing for more stringent cybersecurity controls at the companies they hold. It is, therefore, likely the SEC will start coming down on companies with more vigor, especially in the wake of recent—and, inevitably, future—major breaches.
Risk Transfer as a
Core Cyber-Risk Management Tool
Given the nature of the majority of risks, businesses
recognize that technology and other solutions alone can’t respond to the full
spectrum of risks they face. Insurance has historically stepped in to provide
the financial backstop for that residual risk that cannot be managed to zero
through process, procedure, and mitigation.
Cyber risk is no different in this sense, and organizations
are now recognizing that cyber risk also cannot be managed through technology
alone. It is an operational risk that needs to be incorporated into the firm’s
overall ERM processes—one that includes risk transfer, as well as mitigation
and resilience planning.
The insurance market now offers risk transfer solutions for
cyber risk that address both ever-evolving technology risk and the recent retreat
of traditional insurance products from adequately addressing firms’ evolving cyber-risk
Cyber insurance starts with the premise that all of a firm’s
technology-driven risk should be insurable. These risks include both the direct
loss that a firm can suffer in terms of lost revenue or assets, as well as the
liability that can arise from a data breach or failure to comply with myriad
new domestic and international regulations.
Cyber insurance has also been at the forefront of pushing
for better understanding of this risk’s financial implications to help the
industry improve modeling of potential loss scenarios. That financial
assessment is a critical foundation for businesses’ risk management planning as
well: Cyber-risk quantification helps the firm assess the economic impact of a
range of cyberevents, and on that basis, make informed investments in
technology, insurance, and response resources. Quantification of cyber risk
also allows for cyber risk to be analyzed within the firm’s overall risk
framework and integrated into its overall risk management planning.
The assessment, evaluation, and modeling processes that are essential foundations for purchasing cyber insurance are, in many ways, aligned with the practices called for by the SEC in its recent guidance. Given the likelihood of an increasingly active regulatory agenda, organizations are advised to align their policies and practices to abide by the SEC’s recommendations and to consider insurance market coverage that can help protect against cyberevent-related losses and regulatory liabilities.
Bob Parisi is cyber product leader and Christopher Hetner is managing director of cyber-risk consulting at Marsh.