In the wake of the Edward Snowden and Bradley Manning information leaks, it is important for companies to consider the ramifications that leaked information can mean to your enterprise when the unforeseen happens. Digital information has not only become easier to access and store but also much easier to leak. In their search for efficiency many businesses unwittingly put themselves in a very exposed position when it comes to cyber security. The situation is exacerbated without a proper cyber-risk management strategy of proper controls, policies, and if need be appropriate methods of risk transference through insurance.
The true complexities associated with cyber – liabilities start to take form when you consider that at stake may not only be company sensitive information, private client data, and trade secrets, but also the reputation of the company and those that do business with it. A recent article in PRWeek discusses how Booz Allen is having to fight massive reputation damage in relation to the NSA leak by former employee Edward Snowden. Booz Allen quickly made a public statement – “News reports that this individual has claimed to have leaked classified information are shocking, and if accurate, this action represents a grave violation of the code of conduct and core values of our firm. We will work closely with our clients and authorities in their investigation of this matter”.
This was not enough for Wall Street as Booz Allen shares dropped Monday on news that the leaker was associated with the company. The Associated Press printed :
NEW YORK Shares of Booz Allen Hamilton Holding Corp. (BAH) fell on Monday, after the company’s employee, Edward Snowden, stepped forward as the person who last week leaked information about secret government surveillance programs to several news media outlets.
Not only did this leak cause a monumental problem to the national security of the country but we must now consider the BAH shareholders who were financially impacted due to this security breach. In October 2011, the SEC’s Division of Corporate Finance issued “Disclosure Guidance” on cybersecurity related issues. Among other things, the Guidance clarified that the agency expects companies to disclose the risk of cyber incidents among their “risk factors” in their periodic filings and also expects companies to disclose material cybersecurity breaches in their Management Discussion and Analysis. Subsequently one can expect failure to promptly disclose a cyber breach may put a company at risk of facing formal SEC investigations, shareholder class actions, or derivative lawsuits to which having applicable insurance coverage may provide protections.
Kevin LaCroix of the D&O Diary, a periodic journal containing discussions about Directors and Officers liability issues, writes:
In addition to the risk of SEC enforcement action, companies experiencing cyber breaches also face the possibility of a securities class action lawsuit. However, the memo notes, a company experiencing a cyber breach “will likely not be a target of a securities class action unless the disclosure of the breach can be linked to a statistically significant drop in the company’s share price.” In that respect, it is worth noting that several high profile companies announcing cyber breaches have not experienced a significant drop in their stock price following the announcement. (For example, recent announcements by Facebook, Apple and Microsoft that they have been the target of sophisticated cyber attacks did not affect the companies’ share prices.) Nevertheless, it seems likely that at least some companies experiencing cyber breaches or subject to cyber attacks will also suffer a drop in their share price, and “thus result in securities class action litigation.”
Although this can be quite troubling to most enterprises, it is not news that cybersecurity risks represent a significant concern for just about every company involved in the current economy. It is becoming more obvious that discussions pertaining to cyber-liabilities and how to manage these risks in a holistic manner will be heating up over the next year as we become more aware to the associated perils.
- Booz Allen statement regarding Edward Snowden: ‘Booz Allen can confirm that Edward Snowden, 29, has been an employee of our firm for less than 3 months, assigned to a team in Hawaii. News reports that this individual has claimed to have leaked classified (boozallen.com)
- Snowden not Booz Allen’s first leak problem (politico.com)
- Booz Allen’s Stock Falls After Employee Leak (bloomberg.com)
- SEC Chairman Reviewing Company Cybersecurity Disclosures – Bloomberg (bloomberg.com)
- Study Shows Cyber Insurance Utilization Low (riskpertise.wordpress.com)