2014: Cyber Insecurities in the Board Room

Data breaches and cyber-attacks dominated headlines during 2014. As the dust from the Target data breach settled, corporate America watched as well-respected companies came forward with their own public disclosures. The attacks varied in design and spanned industries: within the retail sector, Target and Home Depot were breached; within the finance sector, J.P. Morgan revealed that it suffered a breach that affected 76 million households; and Community Health Systems—a publicly traded company that operates 206 hospitals—reported in August that Chinese hackers stole medical records from 4.5 million patients. The sources of the data breaches range from high school students to foreign governments. In addition to intentional attacks, the public discovered that an encryption flaw dubbed “Heartbleed” had opened a window for the past two-and-one-half years through which hackers could steal personal information with little risk of detection.

The events of 2014 forced the private sector to address these new threats. Companies took stock of their vulnerabilities in an attempt to strengthen the security of their systems, but discovered a troubling reality: when it comes to cyber-attacks, the question is not “if”—it’s “when.” The rate at which technology evolves, and the sophistication—and sheer number—of bad actors creates exposures that no security expert can ever hope to completely address. The seemingly unavoidable risk of a cyber-attack has compelled many companies to redirect much of their focus to mitigating potential losses following a data breach.

A key component in mitigating a company’s loss is cyber insurance. The sale of cyber insurance surged over the past year, and while the final figures are still being tallied, the insurance industry predicts that salesdoubled from 2013. Each policy differs, but in general, first-party policies cover many costs incurred in response to a data breach, including hiring security experts, consultants, public relations companies, and law firms to perform a variety of services related to the breach.

Data breaches and security events also may lead to government investigations and enforcement actions, as well as lawsuits from consumers and shareholders. Many of these actions stem from a company’s alleged failure to adequately secure consumer information or failure to comply with data breach notification laws. Because each state has its own notification requirements, assessing whether a breach triggers a notification requirement can be incredibly difficult and expensive. However, in the event a company is sued or subject to investigation, most third-party cyber insurance policies provide coverage for defense costs and liabilities stemming from a breach or security event.

2014 introduced America to the personal threats posed by hackers and bad actors. Companies responded by addressing vulnerabilities, but also by preparing for the worst—and perhaps, the inevitable. While it’s difficult to predict what the next twelve months will hold for American consumers and businesses, it’s clear that cyber insurance and the law will continue to play a prominent role.