Cyber Risks Connect With Directors and OfficersImplications of the New SEC Guidance on Cyber Security

February 2012 • Lockton Companies, LLC

L O C K T O N C O M P A N I E S , L L C

WILLIAM BOECKSenior Vice President

Insurance & Claims Counsel816.960.9670

wboeck@lockton.com

EMILY FREEMANExecutive Director

Technology and Media Risks011 44 20 7933 2224

emily.freeman@uk.lockton.com

CHRIS McBEESenior Vice President

Financial Services Unit Manager214.969.6727

cmcbee@lockton.com

The Securities and Exchange Commission (SEC) has changed the cyber security playing field for directors and officers. No less than the Chairman of the U.S. Senate’s Commerce Committee has said that the new guidance issued by the SEC “fundamentally changes the way companies will address cyber security in the 21st century.” He is right!

For the past five years, IT security, privacy legal professionals, and internal audit have focused on direct and indirect cyber risks. At Lockton, we have seen increasing inquiries from insurance and risk management professionals for advice and insurance. The SEC’s guidance will now require company directors and officers to pay increased attention, too.

If the business—such as a financial institution, retailer, or healthcare provider—requires the collection and use of personal financial or healthcare information, many senior executives are already aware of the liability, brand, and financial costs of data breaches. But are cyber risks just the concern of companies that deal directly with the consumer?

The SEC guidance issued in October 2011 paints a different picture, or perhaps a target, on the board of directors. It makes the boards of directors of publicly traded companies responsible for

2

assessing their company’s exposure to cyber risks, the procedures they take, and costs they incur in preventing cyber incidents.

Companies must disclose this information to investors. The guidance is detailed about what needs to be disclosed. The list is long. The guidance does not impose a new legal requirement, but that does not minimize its impact.

The disclosure guidance issued on

October 13, 2011 (the Disclosure

Guidance), by the Division of

Corporation Finance of the Securities

and Exchange Commission (SEC) can be

found here.1

In a world where cyber events are increasingly common, shareholders and the lawyers who represent them will be assessing whether disclosures are adequate in their view. When a company experiences a cyber event, its directors and officers may well find themselves in shareholder lawsuits that seek to impose liability for breaches of fiduciary duties, to assure that the company is adequately prepared for such an event, and to disclose the risks of such events to investors. The SEC’s guidance arguably creates a road map for aggrieved shareholders, and the disclosures will create significant risks for directors and officers.

So what impact does it have on board governance? And is this expanding our notion of cyber risks beyond consumer-facing companies?

The Congressional Impetus Behind the Guidance

Although the Department of Homeland Security has departmental focus and executive support for improving cyber security of U.S. critical infrastructure industries, the SEC guidance is driven by congressional concerns.

The disclosure guidance follows in the wake of a letter in May 2011 to the SEC from five members of the Senate, including John D. Rockefeller IV, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation. That letter expressed concern that “a substantial number of companies do not report their information security risk to investors,” and that “once a material network breach has occurred, leaders of publicly traded companies may not fully understand their affirmative obligation to disclose information . . .” As a result, the Senators requested that the SEC “publish interpretative guidance clarifying existing disclosure requirements pertaining to information security risk . . .”

This letter was the culmination of a 15-month investigation by the U.S. Senate Commerce Committee, kicked off by a question, “Should the SEC issue a regulation requiring companies to disclose breaches; why or why not?” The investigation examined what companies were or not reporting, what the SEC role is or could be, and could there be a positive impact not only on the cyber security of companies, but on the U.S. as a whole?

It is relatively easy for investors to see major public operational disruptions from customer data breaches.

February 2012 • Lockton Companies, LLC

3

The well-publicized breaches involving T.J. Maxx and the Sony PlayStation are good examples. Class action lawsuits, notification of data breaches to customers, and privacy regulatory investigations are also public events.

The Commerce Committee’s investigation focused on something more difficult to see. How can companies or investors measure or even discover the theft or unauthorized disclosure of corporate sensitive data, research and development, scientific studies, and trade secrets? If a company’s market capitalization and revenues are based upon its know-how, intellectual capital, and research, what would the company be worth if it were the victim of hackers or industrial espionage by person or governments? Do investors understand the security environment of the companies they invest in?

The investigation and subsequent SEC disclosure guidance is directed at protecting investors and encouraging companies to assess their risks and their impact on company operations, liquidity, and financial condition. Insurance was also considered as well in the investigation and in the subsequent SEC guidance as a potential “risk transfer” benefit to companies.

Key Elements of the SEC Guidance

The guidance identifies cyber risks and incidents as potential material information to be disclosed under existing securities law disclosure requirements and accounting standards. While the disclosure guidance states it represents the views of the Division of Corporation Finance and is “not a rule, regulation or statement of the Securities and Exchange Commission,” companies can now expect the SEC to review their filings to see whether cyber risks and incidents are adequately disclosed.

The disclosure guidance identifies factors for companies to consider in determining if they have a cyber security risk that should be disclosed under existing requirements. The company should review its:

� Prior cyber incidents.

� Business operations and outsourced functions that have material cyber risks.

� Potential costs and consequences of cyber risks.

� Relevant insurance coverage purchased by the company to address its exposures.

The guidance is

detailed about

what needs to

be disclosed.

The list is long.

4

Risk Factor Disclosure

The SEC’s guidance says that the overall standard that companies should use is if such risk is among the “most significant” factors that would make an investment in the company “speculative or risky.” The disclosure guidance identifies factors companies should take into account in determining whether disclosure should be made, including:

� Prior cyber incidents (including their frequency and severity).

� Probability of cyber incidents occurring and their potential magnitude (customer data breaches but also industrial espionage, data corruption, or operational disruption).

� Adequacy of preventive actions taken to reduce cyber risks.

The guidance is sensitive that disclosure requirements not become a road map to assist hackers or outside perpetrators and that disclosures not contain potential compromising information of that nature. Rather, it provides a list of disclosure examples in the event that disclosure to investors is necessary:

� Aspects of the company’s operations or business that give rise to material cyber security risks, potential costs of such, and consequences.

� Outsourcing functions that have material cyber security risks and how the company addresses such.

� Identification of risks related to cyber incidents that may remain undetected for a long time.

� Relevant insurance coverage.

Examples of other disclosures discussed in the disclosure guidance that may be required include:

� Material pending lawsuits or regulatory investigations involving a cyber incident.

� Major costs incurred to prevent a cyber attack

� Costs incurred in mitigation of damages following a cyber incident, such as “brand incentives” offered to customers to maintain business relationships (e.g., free services or products).

� Disclosure of losses that are “probable and reasonably estimable,” or even “reasonably possible” following a cyber attack (e.g., losses related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from remediation efforts).

The disclosure guidance also states that cyber security risks and incidents should be addressed in Management’s Discussion and Analysis of Financial Condition and Results of Operations if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent:

� A material event.

� A trend.

� Uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.

The SEC’s guidance arguably

creates a road map for aggrieved

shareholders, and the disclosures

will create significant risks for

directors and officers.

February 2012 • Lockton Companies, LLC

5

Risk Message to the Board

The SEC guidance is not the last word, but a trend of law and regulation worldwide that requires the board of directors and senior executives to manage cyber risks at the enterprise level with resources and commitment. On our current radar is the bill pending in Congress regarding cyber security of critical U.S. infrastructure industries as well as the proposed new EU data protection regulations.

Lack of senior management and board involvement and transparency will not be a successful strategy for companies on this issue. The circle has been closed between the company, its cyber risks, and investors. Companies that have not focused on cyber security exposures and the financial ramifications of possible losses to themselves and their directors and officers must do so now, not at some indefinite date in the future. Although the focus of the SEC is publicly traded companies, private companies can face claims from their investors as well.

The guidance creates a balancing act between disclosures of risk to investors vs. the possibility that disclosure could compromise security. Directors and officers are in a difficult position and could be held responsible for going too far in one direction or the other. It is unclear whether compliance with the SEC guidance will provide directors and officers with a defense in shareholder derivative litigation. However, failure to follow it at all will certainly be adverse to defenses against such action.

Insurance for cyber risks can no longer be safely viewed as an optional purchase when a company has the

means to buy it. The guidance specifically focuses on financial risks, financial risk transfer, and the availability of insurance. It may lead shareholders to claim that directors and officers breached their fiduciary duty if they did not investigate and obtain coverage.

It is also appropriate for risk professionals to consider the use of their captive to fund large policy retentions or insure aspects of cyber risks for which adequate insurance may not be available. Areas that may require more creative insurance solutions (combining various techniques of risk transfer) include loss of intellectual property and disruption of computer networks.

Crossover to Director’s and Officer’s Liability Claims

Shareholder rights groups and plaintiffs’ firms are already scrutinizing disclosures and public filings in light of every known data breach event and will consider filing shareholder class actions, breach of fiduciary duty claims, and/or derivative claims, whether the event affects the company’s stock price or not. The bottom line is that we expect to see an increasing trend in D&O claims filed as a result of data breach events, failure of the board and senior management team to prevent breaches, and lack of adequate disclosure surrounding such events.

D&O underwriters are fully aware of the guidance. Questions on cyber risk governance and cyber insurance risk insurance are now commonplace in D&O underwriting meetings. Examples of questions that may be asked by D&O underwriters include:

� Have you experienced a material breach event?

6

� What was the outcome of such an event?

� Have you been the subject of regulatory investigations as a result of a cyber incident?

� What steps has the company taken to prevent potential incidents?

� How have you changed your public disclosures as a result of the new guidance?

� Has the board been briefed on cyber risk management and disclosure requirements?

� Do you purchase cyber risk insurance?

Clearly, the SEC’s new guidance has heightened the responsibility to analyze exposure to cyber threats and how future events are disclosed to the public. That responsibility has now been placed squarely in the boardroom.

Practical Advice

Review and amend risk factor disclosures in financial reporting documents; review disclosure controls and procedures in light of company-specific cyber security risks.

As a result of the new SEC guidance, public companies should carefully consider the magnitude and types of cyber security risks the company faces. Risk factors will differ among industries, and companies should in no way rely on boilerplate disclosures. Rather, the company should work with all necessary internal and external parties to evaluate and disclose risks appropriately.

Establish a cross-functional risk committee approach.

Cyber security is a cross-functional risk involving many disciplines, including information technology, risk

management, legal, internal audit, procurement, finance, and operations. The SEC guidance will require better communication, risk analysis, meaningful projects, and interaction to improve controls. Risk management should play a significant role not only in the procurement of insurance, but in risk advice, analysis, and support, bringing all disciplines within the company together.

Initiate a process to review cyber risk insurance risk transfer options.

Risk managers, legal counsel, and others must make it a priority to educate the senior management team and the board so they understand the risk transfer options available, ranging from traditional insurance vehicles to the use of captive insurers. In addition, the management team and board should be briefed on breach response procedures and how the company will react in the event of a security breach, whether insurance is put in place or not.

Prepare for a much deeper inquiry by D&O underwriters.

As discussed previously, D&O underwriters will be asking more questions related to cyber risk breaches, disclosures, insurance, and breach response preparation. Traditionally, D&O insurers want to meet with risk management, legal, and financial officers such as the treasurer or chief financial officer. Given the heightened risk and the new guidance, it may be prudent and necessary to involve someone from information technology in D&O renewal meetings, especially if the company has actually experienced a security breach.

February 2012 • Lockton Companies, LLC

7

Describe cyber incidents or cyber breaches as they happen.

If an incident occurs resulting in material costs or consequences (remediation costs, increased prevention efforts, or brand damage) that may indicate material future cyber security uncertainties, trends, or events, it must be disclosed and described in “Management’s Discussion and Analysis of Results of Operations.” Disclosures in other sections of a company’s financial reports (for example, “Risk Factors” or “Legal Proceedings”) will likely be required as well. Significant attacks may even warrant current reporting on a Form 8-K notifying shareholders of a material event or a press release. Cyber security risks and events may impact a company’s financial statements, and companies should discuss with their auditors costs for prevention, remediation, loss recognition and/or loss mitigation, and how they would be classified. These disclosures should occur in real time as they happen.

Lockton Resources

Lockton has been a leader in presenting cyber risks much the same way we do with D&O underwriting meetings, through “investor-type’ briefings, rather than lengthy applications.

Lockton’s team of resources—your Account Executive, Lockton Financial Services, and Lockton’s Technology and Global Privacy Practice—are here to help and support your cyber risk management efforts as well as provide custom D&O solutions in this ever-changing market.

Footnote

1 Available at: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

About the Authors

Emily Freeman

Emily is an Executive Director and

leads the Lockton Technology Risk

Practice Group in London. Emily

has been a pioneer in developing

many cyberspace, technology, and

professional service products. She

is a frequent speaker and writer for

professional publications regarding her

areas of expertise.

William Boeck

Bill is Senior Vice President and

Insurance & Claims Counsel with

Lockton Financial Services and

Lockton’s Global Technology and

Privacy Practice. Bill serves as

Lockton’s senior legal and claims

resource worldwide on D&O, cyber

risk, and other financial lines policies.

He is an attorney with more than 25

years of experience handling insurance

claims and creating policy wordings.

Chris McBee

Chris is a Senior Vice President and

Financial Services Unit Manager for

Lockton’s Dallas office. He has more

than 20 years of insurance industry

experience focused on complex

financial services programs for publicly

traded or large private company

programs, including D&O, professional

liability, cyber risk, employment

practices liability, fiduciary liability,

alternative risk placements, and

complex claims resolution.

Our Mission

To be the worldwide value and service leader in insurance brokerage, employee benefits, and risk management

Our Goal

To be the best place to do business and to work

www.lockton.com

© 2012 Lockton, Inc. All rights reserved. Images © 2012 Thinkstock. All rights reserved.

g\white paper\freeman, boeck, mcbee\2012\cyber guidance.indd