By Roberta D. Anderson

Here a breach, there a breach, everywhere a data breach. Verizon’s most recent 2013 Data Breach Investigations Report remarks that “[p]erhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage” this year.^[1] And no organization is immune from a breach. The last two years have seen some of the world’s most sophisticated corporate giants fall victim to some of the largest data breaches in history. It is clear that cyber attacks — including data breaches — are on the rise with unprecedented frequency, sophistication and scale. They are pervasive across industries and geographical boundaries. And they represent “an ever- increasing threat.”^[2] The problem of cyber risks is exacerbated, not only by increasingly sophisticated cyber criminals and evolving malware, but also by the trend in outsourcing of data handling, processing and/or storage to third-party vendors, including “cloud” providers, and by the simple reality of the modern business world, which is full of portable devices such as cell phones, laptops, iPads, USB drives, jump drives, media cards, tablets and other devices that may facilitate the loss of sensitive information.

While data breaches and other types of cyber risks are increasing, laws and regulations governing data security and privacy are proliferating. In its most recent 2013 Cost of Data Breach Study, the Ponemon Institute reports that U.S. organizations spend on average $565,020 on post-breach notification alone.^[3] Companies may also face lawsuits seeking damages for invasion of privacy, as well as governmental and regulatory investigations, fines and penalties, damage to brand and reputation, and other negative repercussions from a data breach, including those resulting from breaches of Payment Card Industry Data Security Standards. The Ponemon Institute’s recent study reports that the average organizational cost of a data breach in 2012 was $188 per record for U.S. organizations ($277 in the case of malicious attacks) and the average number of breached records was 28,765, for a total of $5,407,820.00.^[4] The study does not “include organizations that had data breaches in excess of 100,000” records,^[5] although large-scale breaches clearly are on the rise. In the face of these daunting facts and figures, it is abundantly clear that network security alone cannot entirely address the issue; no firewall is unbreachable, no security system impenetrable.

Insurance can play a vital role in a company’s efforts to mitigate cyber risk. This fact has the attention of the Securities and Exchange Commission. In the wake of “more frequent and severe cyber incidents,” the SEC’s Division of Corporation Finance has issued guidance on cybersecurity disclosures under the federal securities laws. The guidance advises that companies “should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents” and that “appropriate disclosures may include” a “[d]escription of relevant insurance coverage.”^[6]
Read more ›