August 9, 2017

Ratings Principles: Now Coming to Cybersecurity

Recently, a group of more than 40 prominent banks, retailers & tech companies released these “Principles for Fair & Accurate Securities Ratings.” Here’s a teaser from this BakerHostetler blog (also see this Reuters article):

The principles are designed to promote fair and accurate cybersecurity ratings – in response to the recent emergence of several ratings companies that collect and analyze publicly accessible data to analyze a company’s cybersecurity risk posture. The ratings are increasingly used by insurers – as well as in M&A and other business decisions.

The data for risk ratings is typically collected without the target company’s knowledge and comes from a variety of sources – e.g. hackers’ forums, darknet data, Internet traffic stats, port-scanning tools & open-source malware intelligence sources. Ratings companies then use proprietary methodologies and algorithms to analyze the data and assign a grade.

Importantly, however, cybersecurity ratings have the potential for being inaccurate, incomplete, unverifiable and unreliable – if, for example, the source data is inaccurate or the methodology doesn’t account for risk mitigations in place at a company.

The principles developed by the consortium were designed to increase confidence in and the usability of fair and accurate cybersecurity ratings by addressing the potential problems. The principles were modeled after the Fair Credit Reporting Act.

We don’t know if cybersecurity risk ratings will become anywhere near as important as credit ratings – but keep them on your radar. The signatories to the principles include Aetna, American Express, Bank of America, Chevron, Eli Lilly, Fannie Mae, FICO, Goldman Sachs, Home Depot, Honeywell, JP Morgan, Microsoft, State Street & lots of other big names.

When is “Hacking Disclosure” Required in SEC Filings?

By now, most companies have a cyber incident response plan – which should include contacting a securities lawyer to evaluate disclosure requirements. As outlined in this Goodwin memo, these decisions continue to depend on a fact-specific materiality analysis:

What is “material” ends up being far less clear, and there is plenty of room for a public company to determine in good faith that a specific cyber incident does not require separate disclosure. Where the obligation is unclear, a company’s reluctance to disclose is understandable: Disclosure may highlight vulnerabilities, and will bring unwelcome attention from customers, regulators and others. The plaintiffs’ bar will also circle, smelling the possibility of a class action, and they will not view the company and its managers as the victims.

While the SEC won’t second-guess a good-faith analysis, they also won’t shy away from investigating disclosure lags – see this WSJ article about whether Yahoo’s data breach should’ve been reported sooner to investors.

The memo identifies factors affecting disclosure decisions – such as the significance of other notice obligations, existing risk factors & potential remediation costs. Since the decision will probably have to be made quickly, it’s not a bad idea to create a decision tree in advance. Our “Cybersecurity Disclosure Checklist” is a good starting point, and check out this blog as well…

Cyber Insurance: Is Everyone Doing It?

According to this AM Best article, companies paid over $1 billion in cyber insurance premiums in 2016 – but the market might grow to $20 billion by 2020! Of course, this depends on whether last year’s 34.7% increase in premiums is a sustainable trend versus a one-off response to noteworthy breaches.

The article also notes ongoing uncertainty among insurers about pricing & risk exposure – so maybe some companies are getting bargains. But standalone policies now account for about 70% of coverage – which (from insurers’ perspectives) is improving the accuracy of their evaluations.

See this “Insurance Journal” article for intel on providers & other trends. And see this article about how Senator Mark Warner has sent a letter to the SEC outlining his concerns about more transparency if market participants get hacked…

Liz Dunshee