Willis: Boards need to wake up to cyber threats and liabilities
London, UK, March 15, 2012 -Company Directors must wake up to cyber threats or they risk litigation
from all sides, according to Francis Kean of Willis Group Holdings (NYSE:WSH), the global insurance broker.
Speaking at a Willis-hosted cyber liability conference in London this week, the Executive Director in Willis’ FINEX
Global Unit warned that Boards must understand how exposed their company is to the digital threat
environment, following recent Securities and Exchange Commission (SEC) guidance on disclosure of cyber attacks.
“The SEC guidance is a useful wake-up call to the risks of data breaches for Boards everywhere
but they now have a delicate balancing act,” Kean told the audience in the Willis Auditorium.
“The problem with exposing cyber breaches is you don’t want to provide a route map to
hackers, or potential plaintiffs down the road, but you also don’t want to expose yourself to
a shareholder class action,” he said.
Kean stressed the need for Boards to understand emerging cyber threats, saying, “There is a whole universe
of potential cyber risk not understood at a Board level. This, in turn, creates a risk
that Directors will fail to discharge their duty of care and duty to promote the success
of the company. Their fiduciary duties require them to gain some understanding of the cyber threat
faced by their companies and to ensure adequate and proportionate procedures are adopted to mitigate the
consequences of a serious data breach”
The SEC guidance was issued last October in response to concerns that it was hard for investors
to assess security risks if companies failed to disclose data breaches in their public filings. There
are five specific disclosure areas addressed in the guidance: pre-attack exposure analysis; cyber incidents; exposure to
the firm in description of business; legal proceedings; and financial statement implication.
On another panel at the event, Jeremy Smith, Willis’ Cyber Liabilities Practice Leader, discussed the development of
cyber liability insurance and said, “The convergence of cyber coverage in recent years was largely due
to a lack of sophisticated claims data and significant increases in cyber crime.”
However, Smith noted that brokers are now pushing for further innovation from the market and have managed
to secure additional coverage for PCI fines, third party vendors and terrorism.
Advanced Persistent Threats (APTs), such as the Aurora virus and Nightdragon, are the next challenge for the
insurance industry according to Smith. “APTs are sustained attacks designed to steal intellectual property over a
number of years. The insurance industry hasn’t fully tackled this threat yet, but I hope that
brokers and insurers will find a solution together in the future,” he said.
Smith went on to warn that companies with large exposures should consider tailored cyber policies, saying, “If
a company has a significant exposure I would always recommend a stand-alone cyber liability product as
coverage may not be found under a GL or PI policy.
“Cyber liability has developed into a specialist market with expert underwriters and tailored products. These products offer
more than just insurance; companies also get access to a range of services from expert legal
advice, to post breach response services, which are absolutely critical to ensuring the costs of a
breach are kept to a minimum,” he concluded.
Willis Group Holdings plc is a leading global insurance broker. Through its subsidiaries, Willis develops and delivers
professional insurance, reinsurance, risk management, financial and human resource consulting and actuarial services to corporations, public
entities and institutions around the world. Willis has more than 400 offices in nearly 120 countries,
with a global team of approximately 17,000 employees serving clients in virtually every part of the
world. Additional information on Willis may be found at www.willis.com.