Although the SEC has been developing regulations concerning cybersecurity in the financial services sector, it does not seem to be waiting for such regulations to be issued to launch enforcement actions against companies that are victims of cyberattacks.   

The SEC recently sent a Wells Notice to the executives of a software developer company (the “Company”), following the investigation of an extensive and sophisticated cyberattack impacting both the private sector and the federal government. Wells Notices are typically sent to executives or financial professionals suspected of market fraud or questionable investment schemes, and they indicate that the SEC staff has recommended enforcement action against recipients of the notice. The receipt of a Wells Notice by executives following a cyberattack against their company suggests that cyber incident disclosures and cybersecurity vulnerabilities will be subject to the same level of scrutiny as financial fraud because they can affect an issuer’s share price.  

Earlier this year, a former Chief Information Security Officer of a rideshare company was sentenced for concealing a 2016 cyberattack on their employer. The conviction has caused a great deal of apprehension within the cybersecurity community and has raised concerns that the SEC will continue to take a “blame the victim” approach to cyberattacks upon publicly traded companies. This underscores the importance of fulsome disclosures and the responsibility of companies to have sufficient protections in place against possible cyberattacks. 


The Takeaway

In anticipation of the upcoming regulations and the SEC’s enforcement activity on the cybersecurity front, businesses are encouraged to revisit the interplay between their Cyber and Directors and Officers insurance policies. These two policies should complement one another to minimize any gaps in coverage for entities and individuals as they relate to Cyber risk, and to ensure that coverage for SEC investigations is triggered as early as possible. Company executives also need assurance that, at a minimum, their defense costs will be covered in response to such regulatory inquiries.  


A prominent foundation in the UK has issued a report challenging the persistent but false narrative that cyber insurance is fueling the ransomware epidemic. Critics of this fast-growing risk transfer product have maintained that the availability of insurance incentivizes businesses to just pay their extortionists instead of finding ways to resume operations without payment. However, the Royal United Services Institute (the “RUSI”), which describes itself as “the world’s oldest and the UK’s leading defense and security think tank,” has seemingly put that question to rest.  

In a paper entitled “Cyber Insurance and the Ransomware Challenge,” the RUSI argues that “there is no compelling evidence that victims with cyber insurance are much more likely to pay ransoms than those without.” In the executive summary of this report, the RUSI notes that the cyber insurance industry has been criticized for its role in helping businesses manage risk. Despite evidence that some threat actors use policy information they grab hold of during an attack to inform their negotiations, the RUSI’s own research did not reveal that extortionists are intentionally targeting companies with cyber insurance.  The report does acknowledge that the insurance industry could be doing more to encourage best practices on the part of policyholders that would reduce the likelihood that they will need to make a ransom payment.


The Takeaway

Alliant has been educating our clients about how to protect themselves against ransomware and connecting them to service providers who can help them deploy the types of controls that the underwriters say have a lasting impact. Additionally, our new risk consulting team can help businesses update their incident response plans, and lead tabletop exercises to equip senior executives to minimize the financial and reputational harm associated with an event. The payment of a ransom should always be a last resort, and businesses that take network security and data privacy seriously upfront are far less likely to find themselves having to pay a threat actor later.