In the wake of the attacks of Sept. 11, 2001, businesses quickly realized they had a shared problem: terrorism insurance. Or, more accurately, a lack of it, as premiums for commercial insurance against acts of terrorism skyrocketed – in the instances where it was even available. The upheaval led to the passage of the Terrorism Risk Insurance Act of 2002, creating a federal backstop for insured losses due to acts of terrorism.
Corporate America is facing a similar problem now with cybersecurity. No single event on the scale of 9/11 has plunged the market for cyber insurance into chaos. However, as the threats posed by online crimes continue to grow, cybersecurity insurance premiums are rising apace. It also takes more resources to comply with the cyber defense requirements imposed by insurance underwriters. As a result, it appears as though momentum is building for government intervention in the market for cyber insurance.
Corporate executives are contending with a panoply of cybersecurity issues, ranging from ransomware to data breaches to run-of-the-mill online scams. A recent survey of chief information officers by technology consulting firm Gartner Inc. found that respondents consider cybersecurity their most critical investment priority in the coming year. Roughly two-thirds of participants indicated they intend to ramp up cybersecurity spending in 2023. Gartner estimated that worldwide spending on cybersecurity will hit $188.3 billion next year, up more than 11% from this year.
Part of that new spending will come from price increases. Premiums for cyber insurance policies rose by an average of 28% from the fourth quarter of 2021 through the first three months of 2022, according to the Council of Insurance Agents & Brokers. Smaller businesses may find themselves priced out of the market as a result.
So, what role should the federal government play in stabilizing the cyber insurance market? In a report issued this summer, the U.S. Government Accountability Office hinted that a backstop is warranted along the lines of what is available for terrorism insurance.
Meanwhile, regulators – of both the official and shadow variety – are assessing how cybersecurity should factor into corporate compliance. For example, a recent article in The Harvard Law School Forum on Corporate Governance noted that cybersecurity doesn’t fit neatly into the standard framework of corporate programs for environmental, social and governance issues.
For its part, the Securities and Exchange Commission has proposed new cybersecurity disclosure rules for public companies. Among the suggested changes is a requirement for issuers to disclose material cybersecurity incidents, such as data breaches and ransomware attacks, within four business days of learning they occurred. As we await the release of the final rules, questions remain about how companies should determine what constitutes a “material” cyber breach.
Companies undoubtedly will face new disclosure requirements and expectations regarding best practices, as well as potential disputes over liability for harms caused by non-compliance. In the meantime, the best advice for companies and their boards of directors might be to redouble their efforts to patch up the holes in their cyber defenses.