If it wasn’t clear before, it’s certainly clear now: cybersecurity policies are a serious matter that companies need to adhere to if they want to avoid penalties. The Securities and Exchange Commission (SEC) announced that Voya Financial Advisors, a broker-dealer and investment advisor based in Des Moines, will pay $1 million to settle charges after weaknesses in its cybersecurity policies and procedures helped cyber intruders gain access to the personal information of thousands of customers.
The SEC’s action is especially significant since it marks the first enforcement action under the cybersecurity guidance that the Commission released in March, which one expert says was supposed to be a wake-up call for businesses.
“From what I’ve seen looking at data breach cases, and I suspect what the SEC is seeing, is it doesn’t seem like the message really got across,” said Alan Brill, senior managing director for the cyber risk practice at Kroll, a corporate investigation and risk consulting company. “The commission is saying we are beyond a wake-up call. You should now consider this a very loudly ringing alarm bell and when we gave you that guidance, we weren’t actually kidding. We’ve got the appropriate professional staff to pursue these investigations, we have the resources in terms of time and budget to do these investigations, and we’re going to do them. So, ignore what we said, which is actually very similar to what other regulators have said, at your own peril.”
Cyber insurance can help companies mitigate against the risk of a breach and potentially a resulting fine since the underwriting process can identify gaps in cybersecurity plans and operations, besides providing financial support and access to breach coaches, crisis management teams, and forensic investigators when an incident occurs.
According to Brill, the SEC order also states that companies may face other litigation, from shareholders, for instance, because of those actions that were the subject of the SEC action.
“What they are acknowledging is that doing cybersecurity right is moving from being some sort of technical issue to one that is an expectation on the part of investors and that failing to do it, whether or not you are specifically under the jurisdiction of the SEC, you should remember that there are other kinds of litigation,” said Brill. “Then the question becomes, does this affect the risk profile for things like shareholder actions that might go up, not against the cyber insurance, but against the D&O coverage, and once the SEC is pointing out that cybersecurity is central to their thinking, how does that change the risk that you have when you’re providing coverage for directors and officers?”
It’s also an acknowledgment that cybersecurity is an integral part of the overall protective systems that companies need to have in place, added Brill, and it’s a clear responsibility at the C-suite and board levels. Luckily, a number of insurers use analytics platforms to help them figure out how effective an insured’s cybersecurity is, and rate the risk before an intrusion should occur.
“The fact that a lot of insurers are going to these more objective tools to get a picture of cybersecurity – as opposed to just saying ‘how are you doing,’ which usually results in ‘we’re doing fine’ – says a lot about the maturity of the marketplace,” said Brill.