Those who have attended our Elevista cyber workshops will know we’ve often devoted time to analyse the biology of the data breach suffered by US retailing giant Target at the end of 2013 – arguably one of the biggest and most sensational data breach incidents to date.
For those not in the know, Target discovered in November 2013 that around 110 million customer records had been stolen by hackers:
- 40,000,000 credit and debit card records compromised; and
- 70,000,000 other personal records “missing”.
Forensic investigations uncovered sophisticated malware had been installed on their point of sale system for some time.
Once publically reported, the fallout from the breach included a litany of loss for Target. As well as the expense of offering affected customers credit monitoring services and shopping incentives, Target incurred (and continues to incur) significant legal, forensic and public relations expenses to deal with the:
- Regulatory investigations that were launched by State and Federal authorities;
- Congressional hearings;
- Resignations of their CIO and CEO in the wake of the breach; and
- Reported 46% drop in profit immediately following the incident.
In its latest report to the SEC on 28 May 2015, Target confirmed over 100 lawsuits have been filed against it by customers, banks and credit card providers.Some customer class actions have been settled (subject to court approval) for $US10M (up to $10,000 per customer).Expenses to date are $US 256M, with only $90M expected to be recovered as insured losses.
Whilst the type, size and scale of the losses suffered makes this case well worth the trouble to examine, it is also instructive because of the types of legal actions it has produced.
For the first time we have seen 2 “derivative” or shareholder actions brought personally against the directors and officers of the company as a result of a cyber breach. The legal proceedings allege that they failed to take adequate steps to monitor and protect customers’ confidential information and prepare a breach response.There are also allegations about the way the breach was handled by the Board and the directors’ failure to keep the market promptly and appropriately informed.
This may well be the tip of the ‘D&O iceberg’.Just months after Target was sued, shareholders in Wyndham Worldwide Corp brought a similar lawsuit against the directors and officers of that company, based on 3 data breaches occurring between 2008 - 2010.
While these legal actions would potentially be covered under traditional D&O policies, it raises some interesting insurance issues.D&O policies are usually silent on the issue of cyber risk:they do not specifically include or exclude it.From a legal perspective this potential for “grey areas” in a policy’s coverage needs to be adderssed.Uncertainty in an insurance contract is never a friend to either insurer or insured, and should be avoided at all costs.
These developments are creating opportunities for underwriters and insureds alike to include more explicit language on cyber exposures in these types of policies.Insureds and their brokers should look closely at the coverage clauses and exclusions in D&O policies, to ensure there are no unintended consequences in the event of a cyber-type claim.For example, exclusions for professional services or fines and penalties may in their current form exclude cover in a cyber scenario.
Underwriters should also be cognizant of the types and range of questions they ask at renewal about what a company and its directors and officers are doing when it comes to cyber security, particularly in light of ASIC’s most recent publication.
Following the SECs issued guidance in 2011 in the United States to public companies about their disclosure obligations for cyber security risks and cyber incidents, ASIC recently released its own report “Cyber Resilience: Health Check” in March 2015
The report not only recommends that regulated entities review and update their cyber risk management practices, it re-enforces ASIC’s expectation that cyber risks may need to be disclosed as market sensitive information, and that directors need to take cyber risks into account when discharging their duties to consider risk management issues.
ASIC has also emphasized the need for organizations to comply with privacy legislation and notes cyber insurance may be an “appropriate business decision” based on a company’s risk profile.
The report should leave Australian companies in no doubt that ASIC considers cyber a high risk area, and it will be a growing focus of its surveillance programs into the future.In fact ASIC Chairman, Greg Medcraft, has been quoted as saying that cybercrime could be the next “black swan” event and has warned that Australian companies are not sufficiently prepared for such dangers.
Cyber exposures have well and truly arrived on the Australian regulatory radar. And with this acknowledgment comes an increased focus on risk solutions. The insurance industry will no doubt be challenged to continue to provide innovative and progressive products to seize the opportunities emerging from this growth, and assist their insureds grapple with increasing risk and compliance demands.