The Federal Financial Institutions Examination Council (FFIEC) has issued a joint statement providing guidance for financial institutions about the role of cyber insurance in risk management of informational technology systems. The FFIEC comprises the principals of the following: The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee.

On April 10, 2018, the FDIC, as a member of the FFIEC, issued statement FIL-16-2018, applicable to all FDIC-supervised institutions. Similarly, on April 11, 2018, the Office of the Comptroller of Currency (OCC) issued a similar bulletin (OCC Bulletin 2018-8) on the FFIEC’s joint statement, noting that the joint statement applies to all institutions supervised by the OCC.  The joint statement and associated FDIC letter and OCC bulletin include the following highlights:

  • FDIC-supervised institutions are not required to maintain cyber insurance. However, cyber insurance could offset financial losses from a variety of exposures—including data breaches resulting in the loss of confidential information—that may not be covered by more traditional insurance policies.
  • Traditional general liability insurance policies may not provide effective coverage for all potential exposures caused by cyber events.
  • Cyber insurance does not replace a sound and effective risk management program.
  • Cyber attacks are increasing in volume and sophistication and that traditional general liability coverage insurance policies may not provide effective coverage for potential exposures caused by cyber events
  • Cyber insurance may help reduce financial losses from a variety of exposures, such as data breaches resulting in the loss of sensitive customer information.
  • Cyber insurance does not diminish the importance of a sound control environment; rather, cyber insurance may be a component of a broader risk management strategy.
  • As institutions weigh the benefits and costs of cyber insurance, considerations may include: (a) involving multiple stakeholders in the cyber insurance decision; (b) performing proper due diligence to understand available cyber insurance coverage; and (c) evaluating cyber insurance in the annual insurance review and budgeting process.

The FFIEC’s statement is not intended to contain new regulatory expectations, but instead to provide awareness of the potential role of cyber insurance in financial institutions’ risk management programs.  Financial institutions ultimately remain responsible for maintaining a control environment consistent with the guidance outlined in the FFIEC IT Examination Handbook.

Click here to see the FFIEC press release.

Click here to see the full 3-page joint statement.

On February 21, 2018, the Securities and Exchange Commission (SEC) published a release entitled “Commission Statement and Guidance on Public Company Cybersecurity Disclosures” (“Release”).  Designed to assist public companies in preparing disclosures concerning cybersecurity risk and incidents, the release expands upon the SEC’s previous guidance in 2011 to emphasize particular areas, including board oversight, disclosure control and procedures, insider trading and Regulation FD. In addition, the release addresses two topics not developed in the 2011 guidance: (1) the importance of cybersecurity policies and procedures, and (2) the application of insider trading prohibitions in the cybersecurity context.

The SEC’s Release covers the following major points:

Disclosure Guidance

  • Scope of Risk Disclosure Include Potential Incidents. The SEC stated it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.
  • Weighing Materiality in Disclosure Obligations. In determining disclosure obligations, “companies generally weigh, among other things, the potential materiality of any identified risk, and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations.” Materiality may depend on the “nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations” and the range of harm incidents could cause, including harm to a company’s reputation, financial performance, customer and vendor relationships, and potential litigation or regulatory investigations or enforcement actions.  This includes regulatory actions by state and federal authorities as well as non-US authorities.
  • Timing and Content. The Release acknowledges the challenge of determining the appropriate timing for disclosures, as companies must have time to understand the incident’s scope and determine how much to disclose.
  • Risk Factors. The Release cites Regulations S-K and Form 20-F as requiring companies to disclose the most significant factors that make investments in the company’s securities speculative or risky. Companies should disclose cybersecurity-related risks if they are among such factors, including risks that arise in connection with acquisitions.  The Release states it would be helpful for companies to consider the following issues, among others, in evaluating cybersecurity risk factor disclosure:
    • The occurrence of prior cybersecurity incidents, including their severity and frequency;
    • The probability of the occurrence and potential magnitude of cybersecurity incidents;
    • The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
    • The aspects of the company’s business and operations that give rise to material cybersecurity risk and the potential cost and consequences of such risks, including industry-specific risks and third party suppliers and service provider risks;
    • The costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
    • The potential for reputational harm;
    • Existing or pending laws and regulations that may affect the requirements to which companies are subject to relating to cybersecurity and the associated costs to companies; and
    • Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
  • Content of Disclosure. Companies are not required to include disclosure that would provide a “roadmap” for how to breach a company’s security protections — such as technical information about systems, networks or devices — or other potential vulnerabilities in such detail as would make such assets more susceptible to an incident. However, the Commission does expect companies to disclose cybersecurity risks and incidents that are material to investors, to make appropriate disclosures timely and sufficiently prior to the offer and sale of securities, and to take steps to prevent officers, directors, and other insiders from trading securities until investors have been appropriately informed.  Companies should watch for situations in which they need to correct or update prior disclosures as additional information is learned.  In meeting their disclosure obligations, companies may need to disclose previous or ongoing incidents in order to place discussion of risks in the appropriate context.  For instance, if a company previously experienced a material denial-of-service attack, it likely would not be sufficient to merely disclose that there is a risk that a denial-of-service incident may occur.  Instead, the company may need to discuss the occurrence of that incident and its consequences as part of a broader discussion of the types of incidents that pose particular risks to the company’s business and operations.

Policies and Procedures

  • Board Oversight. Under current Item 407(h) of Regulation S-K, companies must disclose the board of directors’ role in the risk oversight of the company, and the Release suggests specific discussion of the nature of its role in cyber risk management, especially if cyber risks are material to the company’s business.  The Release indicates that disclosing a company’s cybersecurity risk management program and how its board engages with management on cybersecurity issues “allows investors to assess how a board is discharging its responsibilities in this increasingly important area.”  As a response to this release, companies may wish to consider broadening or deepening their board’s engagement with these issues.
  • Disclosure Controls and Procedures. The SEC stated that it is “crucial” for a public company to have disclosure controls and procedures that provide an appropriate method of discerning the impact of such matters on the company and its business, financial conditions, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.  These controls and procedures must ensure senior management is promptly made aware of important cybersecurity issues to enable informed disclosure decisions regarding the substance of any issues and to facilitate appropriate officer certifications and disclosures regarding the effectiveness of the controls and procedures.  Companies should “identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors and make timely disclosure regarding such risks and incidents.”  In addition, a company should not limit its disclosure controls and procedures to only what is specifically required, but should also ensure timely collection and evaluation of information potentially subject to disclosure.
  • Insider Trading and Regulation FD. The Commission reminds companies that, in some circumstances,  cybersecurity risks and incidents may constitute material nonpublic information, and that existing insider trading and Regulation FD policies should already include any type of material nonpublic information.  However, the Commission states, companies should consider highlighting this possibility through training, or adding cybersecurity incidents to lists within these policies of examples of potentially material information. Policy administrators should establish processes to ensure they are aware of developing cybersecurity incidents when determining whether to close certain trading windows or approve specific trades.  Even when there has been no insider trading violation, companies may be subject to scrutiny if executives trade prior to disclosure of cyber incidents that develop into significant events.  Companies must be mindful of making selective disclosures of cybersecurity events to the persons enumerated under Regulation FD (namely, persons reasonably expected to trade on the basis of such information) before that information is publicly announced.  Policies and procedures for addressing a cybersecurity event should inform those handling the situation of the need to maintain appropriate confidentiality until a public announcement is ready to be made.
  • Conclusion.  The Release highlights the SEC’s increased attention to disclosures related to cybersecurity and concerns that investors may not be fully informed about the growing risks with cybersecurity. In response to this Release, publicly traded companies should:
    • Review and consider refreshing the disclosures in their periodic reports and registration statements, taking into account the detailed criteria contained in the Release and how the impact of incidents (and the risks of potential incidents) may be material to the information that must be presented.
    • Evaluate policies, procedures, and practices related to disclosure to consider whether they need to be updated or refreshed in light of this Release, and to ensure that their boards’ oversight is in line with the risks faced by the company;
    • Consider whether information regarding cybersecurity- and privacy-related risks and incidents is appropriately developed and communicated to result in accurate and timely disclosures and to avoid inadvertent insider trading and Regulation FD violations.

On December 28, 2016, the New York State Department of Financial Services (NYDFS) updated its proposed cybersecurity regulation to protect New York State.  The proposed regulation is effective March 1, 2017, and requires banks, insurance companies and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.  Entities covered by the rule include “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.”  We last reported on the draft version of these rules in a previous post.

The rule was issued after receiving comments on the proposed rule due November 14, 2016.  The updated proposed regulation, which was submitted to the New York State Register on December 15, 2016 and published on December 28, will be finalized following an additional 30-day notice and public comment period, which ends 30 days from publication, or Friday, January 27, 2017.

You may view the updated proposed regulation by clicking here.