While the full implications of the New York State Department of Financial Services’ (DFS) cybersecurity regulation, which went into effect March 1, are still being realized by the insurance industry, many are beginning to question the regulation’s impact to directors and officers (D&O) liability in particular, according to panelists at a recent Mayer Brown seminar in New York.
“There has been lots of talk about cyber insurance for cyber breaches and breach-related liability, but I think another topic folks are starting to focus on is D&O liability insurance and how that is affected by the regulation,” said panelist Lawrence Hamilton, a partner at Mayer Brown. “Going forward, I’m sure insurance companies that provide D&O coverage will be looking at and adding to questionnaires the extent to which a company is complying with the cyber regulation in New York.”
Panelists for the event got together to discuss how to comply with the New York DFS cyber regulation and how to respond when a breach occurs.
Because the regulation, which serves as the first of its kind in the U.S., imposes new obligations on corporations engaged in insurance, such as adopting written policies and procedures, appointing a chief information security officer (CISO) and performing regular risk assessments, boards of directors and senior officers will have a duty to ensure these obligations are being fulfilled, Hamilton said.
This isn’t something to just pick up in February. You have to start picking it up right now.
“Many people will be asking, ‘Where do the boards of directors and senior officers fall into this?'” he said.
If there is a cyber breach or enforcement action brought by the DFS, it could create a vulnerability for directors and officers who will want to be able to show that they took all reasonable steps to ensure the regulation was being properly implemented at their company, he added.
“There will be D&O claims, I’m sure, in cases where that didn’t happen,” he said. “On existing policies, there may not have been a lot of this taken into account in anybody’s insurance underwriting.”
This could create problems for companies that historically have separated directors’ and officers’ involvement in cyber events.
“One key thing is always to make sure the board of directors is in on this,” said cyber expert N. MacDonnell Ulsch in a separate panel discussion at last year’s Professional Liability Underwriting Society (PLUS) Cyber Liability Symposium in New York. “I’ve been in breach meetings where the executive management team says, ‘Don’t share this with the board yet. Don’t upset them yet.’ But you need to make sure the board is aware of what’s happening on a continuing basis.”
Leaving the board out of these discussions can lead to a lack of preparation and awareness, which has become increasingly important in the wake of technological advancements and the New York regulation, said panelist John Connell, a managing director at UnitedLex, at the Mayer Brown event.
“Very often, organizations aren’t prepared [for cyber events], and as a result, they don’t have any evidence when trying to justify these [cyber] claims,” he said. “When it comes to meeting obligations with the state, they will have the same sort of problem.”
One way to ensure a company is prepared to meet New York’s cyber obligations is to check for a range of policies that are up to date in a world of technology that is constantly changing, Connell said.
“I often go through this with companies and ask, ‘Do you have policies for a range of events – a security policy, a work from home policy, a password policy?'” he said. “The quick answer is usually yes, but then I’ll say ‘When was the last time they were revised or that you looked at them?’ I find policies all the time that have references to flip phones that were given out to an employee that has been with the company for 10 years on the first day they were hired.”
With this in mind, boards of directors and senior officers typically have an obligation to make sure appropriate risk management practices are in place to protect investors, shareholders and the company in general, Ulsch said during the PLUS panel discussion.
“That’s why they’re targeted,” he said. “If we look at the litigation that’s occurring today, boards of directors are being targeted and could be held independently liable as cyber risk is now starting to be perceived as risk of equal or greater value than other types of risk.”
One of the first steps to avoiding cyber claims, litigation or regulatory action in the future is to put together a gap assessment that takes a look at what needs to be done to attest to the fact that the company has the proper obligations in place, panelists at the Mayer Brown event discussed.
“In terms of the letter of the law, yes, you can have a policy, dust it off and pull it out,” Connell said. “But if there’s a breach or some sort of problem afterward and the DFS starts asking how it happened, and you pull out a policy dated 2009, everything is judged in hindsight.”
A gap assessment can be done not only to meet the regulatory requirements, but also to determine how far above the bar a company would like to go, he said. It is important to figure out what needs to be done, how it needs to be implemented and how it can be carried out in an honest fashion, he added. This can help identify what is missing, what is out of date and how effective the overall cyber program is at a company.
“It’s important to have an actual CISO in place and not just an IT guy, to break down what areas you’re doing well in and what areas you’re not and to have new technology and updated policies in place,” he said. “One thing that has been primary for us is an instant response plan. We go through tabletop drills where we run through a scenario and bring in the executives that will have to make the decisions when that happens.”
Indeed, involving the executives is an important aspect of building a cyber response plan and carrying out an effective risk assessment, Angelo Stio, partner in the Litigation and Dispute Resolution Department of Pepper Hamilton LLP, told Insurance Journal.
“I think you may see some litigation challenging the actions of directors and officers with regard to annual certifications, risk assessments, and failing to dedicate assets to reduce risks,” he said. “On this issue, it will be critical for an organization to document its compliance with the regulation and the rationale and actions taken by directors and officers.”
Preparing for the Future
The final New York regulation requires banks, insurance companies and other financial services institutions regulated by the Department of Financial Services to establish and maintain a cybersecurity program to protect consumers’ private data and ensure safety within New York’s financial services industry, according to a press release issued by the New York DFS announcing the regulation. The regulation requires each company overseen by the New York DFS to assess its specific cybersecurity risk profile and design a program that addresses those risks.
“It’s going to take a lot of work to get prepared for what they’re asking everybody to do,” Connell said.
The requirements should be in place before the deadline for the first annual certification filing with the DFS, where the CISO or another officer at each regulated company has to certify to the DFS that the company is in compliance with requirements and regulations – a deadline that is approaching on February 15, 2018, panelists said.
“I have a feeling that on February 14 of next year, there will be a lot of people panicking,” said panelist Jeffrey Taft, a partner at Mayer Brown. “This is what everybody should be thinking about. It’s going to take a long time to comply for most people, so this isn’t something to just pick up in February. You have to start picking it up right now.”
*This story appeared previously in our sister publication Insurance Journal.