The US Securities and Exchange Commission has recently cracked down on companies it believes have violated securities laws by providing insufficient cybersecurity information, and it is expected to continue to enforce.
To avoid SEC action, experts recommend that companies establish clear internal communication strategies on cyber security issues and review their board members 'and officials' liability insurance and cyber liability policies to determine if they have adequate coverage if the problem arises.
Some recent examples of the SEC's intensified cyber-intelligence measures include:  On June 15, without acknowledging or denying the SEC's findings, Santa Ana, California-based First American Financial Corp., a title insurance company, agreed to pay a. $ 487,61
Many experts expect the agency to continue to pursue the issue. "They've made it clear," said Alexander H. Southwell, a partner with Gibson Dunn & Crutcher LLP in New York, who chairs the company's privacy, cybersecurity and data innovation team.
"It's honestly, part of the reality of cyberattacks in the economy today," and part of a broader administrative response to the question, Southwell said.
The SEC's compliance measures with both First American and Pearson that the SEC is out of patience with companies that fail to implement the kind of internal controls that would allow a company to be inaccurate in its disclosures, says Priya Cherian Huskins, partner in San Francisco and senior vice president at broker Woodruff Sawyer & Co.  The agency is likely to become even more aggressive in the future, says John Farley, New York-based CEO of Arthur J. Gallagher & Co.'s Cyber Liability Practice. basic measures to protect sensitive data, "he said.
With a more aggressive SEC action option, companies should develop incident management plans that include how to have detect a vulnerability before it becomes an intrusion, and then make sure the infrastructure is in place to address that vulnerability, says Matthew McLellan, Marsh LLC's Washington-based D & O internship manager.
Tamara D. Bruno, a partner with Pillsbury Winthrop Shaw Pittman LLP's insurance recovery practice in Houston, said that companies should ensure that they "fully understand their own cybersecurity environment and that they communicate regularly" with those who can bridge the communication gaps between those who implement cyber security and those who implement disclosures.
"Essentially, companies need to know what is mission-critical for their organizations," and before venting a cyber incident that will shut them down, says Tom Finan, director, cyber practice, of Willis Towers Watson PLC in Washington.
If there is a cyber incident, companies should be careful with their revelations and make sure they are comprehensive, says Thomas O. Gorman, partner at Dorsey & Whitney LLP in Washington.
A well-designed D&O policy should cover investigative costs, says William Boeck, senior vice president, US financial claims manager and global cyber product, and claims leader of Lockton Cos. LLC in Kansas City, Missouri. It is unlikely that the coverage will extend to fines and penalties, although there are some specialized products, he said.
An IT liability policy may respond to an SEC investigation, depending on the wording of the policy, "but there is a strong caveat to that, and that is that cyber policies usually exclude non-confidential fines," he says.
Most cyber policies also have exemptions for security-related claims, which could be a problem if there are more SEC enforcement measures, said Boeck. Catalog