NU Online News Service, March 16, 10:34 a.m.EDT

Company directors do not realize the full threat of theircyber-liability exposure, and they must be more aware of the legalhazards they face or risk litigation from investors and regulators,says an insurance broker.

Speaking at the Advisen Cyber Liability Insights Conferencehosted by Willis in London on Tuesday, Francis Kean, Willis GroupHoldings executive director in the firm's FINEX Global Unit, warnedthat boards must understand how exposed their companies are to thedigital-threat environment following recent Securities and ExchangeCommission guidance on disclosure of cyber-attacks.

“The SEC guidance is a useful wakeup call to the risks of databreaches for boards everywhere, but they now have a delicatebalancing act,” Kean says. “The problem with exposing cyberbreaches is you don't want to provide a route map to hackers orpotential plaintiffs down the road, but you also don't want toexpose yourself to a shareholder class action.”

Kean stressed the need for boards to understand emerging cyberthreats, saying, “There is a whole universe of potential cyber risknot understood at a board level. This, in turn, creates a risk thatdirectors will fail to discharge their duty of care and duty topromote the success of the company. Their fiduciary duties requirethem to gain some understanding of the cyber threat faced by theircompanies and to ensure adequate and proportionate procedures areadopted to mitigate the consequences of a serious data breach.”

The SEC guidance was issued last October in response to concernsthat it was hard for investors to assess security risks ifcompanies fail to disclose data breaches in their publicfilings.

There are five specific disclosure areas addressed in theguidance:

• Pre-attack exposure analysis.
• Cyber incidents.
• Exposure to the firm in description of business.
• Legal proceedings.
• Financial statement implication.

On another panel at the event, Jeremy Smith, Willis' cyberliabilities practice leader, discussed the development ofcyber-liability insurance, saying, “The convergence of cybercoverage in recent years was largely due to a lack of sophisticatedclaims data and significant increases in cybercrime.”

However, Smith noted that brokers are now pushing for furtherinnovation from the market and have managed to secure additionalcoverage for Payment Card Industry fines (an independent bodycreated by the major credit-card companies that have setinformation-transmission standards), third-party vendors andterrorism.

Advanced Persistent Threats (APTs), such as theAuroravirus andNightdragon, are the next challenge for the insurance industry,according to Smith. “APTs are sustained attacks designed to stealintellectual property over a number of years. The insuranceindustry hasn't fully tackled this threat yet, but I hope thatbrokers and insurers will find a solution together in thefuture.”

Smith went on to warn that companies with large exposures shouldconsider tailored cyber policies.