Last week, the SEC charged Timothy Brown, the chief information security officer for SolarWinds, with fraud for withholding vulnerabilities that led to a cyber attack on at least 100 critical-infrastructure firms, with some 18,000 companies facing serious vulnerabilities. This announcement followed the DOJ’s decision in May to sentence Joseph Sullivan, the chief security officer for Uber, to three years of probation and a fine of $50,000 for hiding from and lying about a breach of 57 million Uber users to his employer, the FTC, and investors. 

Both of these high profile cases reflect that the U.S. government has recently made cybersecurity a top priority. In March, the White House issued an executive order on Improving the Nation's Cybersecurity along with a National Cybersecurity Strategy. In June, the DOJ created a new National Security Cyber Section. In July, the SEC adopted new rules for public companies on Cybersecurity Risk Management. 

Additionally, the FTC has launched 20 privacy and security enforcement actions over the last three years with 80% of them in the last year. Similarly, the SEC has brought the majority of 50 cyber-related enforcement actions in the last year. These involve five different problems:

• Account intrusions

• Hacking and insider trading

• Market manipulation via fake digital content

• Weak cybersecurity controls and data safeguarding

• Failure to disclose incidents or misrepresentation of controls

How Newfront Can Help Companies Navigate the Cyber Landscape

These actions underscore the need for companies to become more proactive about cybersecurity, and the need for capable risk-management partners. Newfront’s experts can help. We do more than broker insurance. With in-house cyber experts and a robust Executive Risk team that proactively identify gaps in security and coverage, we provide comprehensive risk-management solutions, including:

• Risk Scans: We scan your public-facing assets to uncover potential exposures, including open ports, end-of-life software, and unpatched CVEs. We partner with dark web monitoring firms that can reveal attacks before they occur.

• Third-Party Expertise: We collaborate with expert cybersecurity firms, data aggregators, and data-privacy lawyers. Many provide complimentary services followed by discounted engagements. We are launching supply-chain assessments as well as services around SEC regulations such as boardroom review of cyber controls and materiality calculations.

• In-Depth Analytics: We provide detailed analyses of four different risk drivers and then model their maximum-probable losses. As a result, clients can move beyond benchmarking and best guesses and make data-driven and risk-based choices about self-insurance and insurance limits.

• Disclosure Consideration: Our breach response and cyber claims consultants will partner with your compliance team following an event to ensure consideration with respect to disclosure of material cyber events.

Insurance Implications: Bridging the Gap

Newfront has an excellent track record servicing the insurance needs of some of the largest tech companies in the world. It’s increasingly important to have a knowledgeable partner to identify and resolve the growing gaps in coverage that the latest cyber events are surfacing. Cyber insurance policies cover IT-related losses, such as privacy and security liability or losses from interruption, extortion, or brand impairment. The regulatory defense coverage is limited to privacy statute enforcements, and fines are payable only where insurance regulators allow. Intentionally malicious acts by directors and officers are generally not covered by cyber insurance policies and such acts can strip coverage from the insured entity. Likewise, cyber insurance policies exclude SEC actions. 

If structured appropriately, D&O insurance should protect security officers. Companies and their security officers should look closely at their D&O policies and corporate charters to understand which individuals are insured, and the related question of who is entitled to indemnification from the company in the event they are named in a lawsuit. For Newfront clients, these questions present essential discussion points at the onset of our partnership with any organization, to ensure that clients understand who and what is covered, and ultimately that a D&O policy responds as intended.

Cybersecurity: Proactivity is Key

In this dynamic cybersecurity landscape, Newfront is also positioned to ensure that clients are well-protected and well-prepared. It is essential to understand the scope and potential severity of risks. Cyber threats do not follow predictable patterns or normal distributions, so losses from outlier events create extreme impacts and only appear predictable in hindsight. 

We ensure that our clients are ready for the challenges ahead by combining rigorous analysis with antifragile solutions, such as implementing must-have controls, conducting risk scans, aiding with internal reporting, partnering with best-in-class cyber risk partners, and crafting compelling narratives for boards and underwriters. 

The SolarWinds case is a stark reminder of the increasing importance of cybersecurity and the potential legal implications for lapses both to firms and individuals. It is time for companies to re-evaluate their cybersecurity measures and the insurance coverages that relate to them, and ensure they are prepared for disruptive digital business models, heightened regulatory scrutiny, and an ever-evolving threat landscape.

Need additional details? Read more about our Executive Risk and Cyber Risk expert teams. 

About Newfront

Newfront is a modern brokerage transforming the risk management, business insurance, total rewards, and retirement-services space through the combination of elite expertise and cutting-edge technology. Specializing in more than 20 industries and headquartered in San Francisco, Newfront has offices nationwide and is home to more than 800 employees serving organizations across the United State and globally. For more information, visit newfront.com and follow us on LinkedIn.