On Feb. 12, President Barack Obama signed the executive order, Improving Critical Infrastructure Cyber Security, which will set cybersecurity standards for certain private companies.
However, remarks by Lisa J. Sotto, chair of the U.S. Department of Homeland Security (DHS), Data Privacy and Integrity Advisory Committee, raised red flags. She said: “I would suggest that these standards will become the standards by which companies will be judged, so that if there is a cybersecurity event there may be negligence claims that follow if the standards are not complied with. Also, there could be shareholder suits, if a company suffers damage as the result of a cybersecurity event where they’re not complying with the cybersecurity framework.”
“If the government says, ‘We’re officially setting the bar and if you’re not above it you’re going to be found negligent,’ then companies will need an insurance policy that will defend them,” says Karl Henley, vice president at SeibertKeck Insurance Agency.
Smart Business spoke with Henley about possible implications of this executive order.
What is the executive order’s goal?
After failing to pass the Cyber Intelligence Sharing and Protection Act of 2012, the Obama administration wanted to protect what it felt was critical infrastructure — private companies. This executive order establishes the foundation for a ‘framework’ between the private sector and government, seeking to set standards for certain industries. The goal is to improve communication and awareness so the private sector can take steps to protect itself.
Currently, only some private industry sectors have set cybersecurity standards, such as the credit card processing industry. This is the government’s first attempt to set a wider standard for all private companies.
Do you think many are aware of this?
Large corporations should be aware, but this could have been missed by many middle-market and owner-managed businesses that may not have an in-house compliance group to stay on top of developing regulations.
What will be impacted?
The areas that will be impacted are defined as critical to our country and economic infrastructure, such as financial services, and electrical, water, water treatment and fuel suppliers. Before July 12, the secretary of the DHS will identify where a cyberattack could cause catastrophic problems, regionally or nationally, for public health or safety, economic security or national security.
Executive orders cannot make mandates, so this will be voluntary for most. However, courts may choose to use these as the standard for negligence. Government contractors will be incentivized to comply as a criterion for contract selection.
What are the cybersecurity implications?
One positive is the improved flow of information from government to the private sector about cyberthreats. CIOs and IT staff will have improved access to timely information about potential hazards.
However, Sotto’s remarks are troubling. Anytime someone in government uses the words ‘negligence,’ ‘judged’ and ‘claims,’ it’s generally not good for businesses. It will be critical that companies minimize potential weaknesses in cybersecurity infrastructure.
What does this mean for insureds?
A general liability policy excludes most cyber-related losses, so insureds will need to fill coverage gaps with a cyber liability policy.
It also will be important to keep informed as insurance policy language changes to incorporate the standards within your policy. Good dialogue around your business model, Internet presence, and interaction with customers with an informed adviser or the right consultants will be essential to helping companies adapt and protect themselves from negligence claims. Director and officers executive liability policies, often overlooked by non-publicly traded companies, generally cover the defense of shareholder suits.
What are some next steps?
The private sector, in conjunction with the National Institute for Standards and Technology, is being asked to help design the standards and develop a fluid framework, as cyberattackers frequently change tactics. The proposed framework will be published Oct. 10, with the final due Feb. 12, 2014.
Karl Henley is vice president of SeibertKeck Insurance Agency. Reach him at (330) 294-1358 or firstname.lastname@example.org.
To keep up with the latest insurance news and how your company could be impacted, sign up to receive our newsletter.
Insights Business Insurance is brought to you by SeibertKeck