There’s no denying that the present-day Internet, while extraordinary, is increasingly scary. Cyber attacks of various types continue to escalate across the globe. As stated by one recent commentator, “Cybercrime is raging worldwide.”[2] Reports of high-profile cyber attacks make headlines almost every day. In recent weeks and months, sophisticated distributed denial-of-service attacks on at least 26 of the largest U.S. banks reportedly breached some of the nation’s most advanced computer security, rendering bank websites unavailable to customers and disrupting transactions for hours at a time.[3]
The headlines confirm the reality: Cyber attacks are on the rise with unprecedented frequency, sophistication, and scale. And they are pervasive across industries and geographical boundaries.
Even though no organization is immune from cyber attacks, it is uncertain that companies are sufficiently aware of the escalating onslaught.[4] Even companies that are sufficiently aware of the problem might not be sufficiently prepared. It is abundantly clear that network security alone cannot entirely address the issue. As noted by one observer, “[t]here is no fail-safe technology that is immune to hacking. Online security will evolve as hackers and security experts work continuously to outwit each other.”[5] Insurance can play a vital role. Yet, some companies may not be adequately considering the important role of insurance as part of their overall strategy to mitigate cyber risk. A recent 2012 survey conducted by global consulting firm Towers Watson reports that 72 percent of the 153 risk managers of North American companies surveyed “ha[d] not purchased network security/privacy liability policies.”[6] And those companies that did purchase policies “opted for limits that were on the low end of the spectrum.”[7] In addition, risk managers and in-house counsel may not be aware if, and to what extent, the company already has coverage for cyber risks under existing “traditional” insurance policies, many of which cover cyber risks.
A complete understanding of the company’s insurance program is key to maximizing protection against cyber risk. Indeed, in the wake of the recent attacks, the Securities and Exchange Commission has issued guidance on cybersecurity disclosures under the federal securities laws and advises that “appropriate disclosures may include,” among other things, a “[d]escription of relevant insurance coverage.”[8]