By Alan Brill, Senior Managing Director, Cyber Risk, Kroll
The Securities and Exchange Commission (SEC) announced its first enforcement action under the cyber security guidance it released earlier in the year. Under a settlement agreement, a firm agreed to pay a $1 million penalty for failing to operate with appropriate cyber security controls in place.
In a case in which the SEC (or other regulator) finds that an organization’s cyber security is not what it should be, there is a very real risk that an individual lawsuit against the company’s management and board of directors could follow, from shareholders, those with compromised information, or both. Insurers and brokers involved in providing protection against shareholder or customer lawsuits should regard this as a warning shot. The issue can move quickly from one of cyber security to coverages relating to executives and board members. If you don’t have a good understanding of an insured’s cyber security standards, activities and compliance programs, you can’t effectively assess the risk.
The SEC’s guidance is based on the very real fact that an organization’s financial, operational and technology systems are intertwined, and that protecting the integrity of both a company’s books and sensitive customer information are inextricably linked to cyber security.
There is no lack of clarity in the message associated with the announcement of this settlement and penalty. The SEC expects companies to not only have in place commercially reasonable standards, policies and procedures for cyber security, but to implement them along with compliance and audit procedures to assure that they are working as intended.
There is also an expectation that management and boards understand that cyber security is not a “one and done” proposition. As an organization’s business evolves and technology changes, the policies and procedures, along with their associated compliance measures, must also change. Cyber security must be just as dynamic as the risks to our systems. System monitoring is becoming a recognized (and expected) best practice.
It is also clear that an organization cannot limit its concern about cyber security to its own cyber-operations. Those who can access your systems – independent contractors, partner organizations, supply chain partners, vendors or others – and those with whom you share nonpublic data must also be considered. How are they authenticated? The case that was settled involved attackers who were able to establish or take over -- through social engineering -- independent contractor accounts and used those to commit crimes through the company’s systems. How are they limited in what they can see and do? What alarm mechanisms are in place to provide real-time monitoring of user accounts for unusual activities?
In a separate case involving a company that had suffered significant data breaches, analysis showed that they had comprehensive cyber security standards and policies which they eventually described as “aspirational” and not a statement of what they had actually committed to do.
The SEC – as well as other regulators and potential class-action plaintiffs –expect that there will be a match between stated standards and the controls that are actually in place. Without periodic and independent evaluations, active monitoring and anomaly identification and evaluation, there is risk of actual practice deviating from the expectations in a company’s standards.
Assuming that an organization has commercially reasonable standards that comply with legal and regulatory requirements, it is the gap between expectation and reality that leads to problems. Just as hackers look for and exploit vulnerabilities in systems and procedures, expect regulators and investors to be greatly troubled when those gaps exist that should have been covered by cyber security practices, identified through monitoring procedures and appropriately investigated and remediated.
Actual problems identified through monitoring, compliance and audit processes represent another input to the continuous improvement process.
The SEC’s action clearly shows that it is serious about this issue, and that it is staffed and ready to conduct enforcement actions relating to cyber security.
Our experience indicates that the biggest danger faced by brokers and underwriters in considering the SEC’s guidance and enforcement actions is not knowing the actual state of cyber security implemented by an insured. Without this knowledge, risk can’t be assessed and effective response becomes difficult or impossible.
Tools exist to efficiently assist companies carry out more in-depth self-assessments than many insurers require and to provide more actionable information to underwriters. Consideration must be given to understanding how the SEC’s action may affect far more than cyber insurance if the issue turns from ineffective cyber security to ineffective management.
Given the prior SEC cyber security guidance and their enforcement announcement, insurers cannot simply assume that the cyber security operations of both large and small firms are in compliance.
Not knowing, to put it simply, is not acceptable.
This article was originally published by PropertyCasualty360