On February 12, 2013, President Obama issued an executive order detailing his plan to improve critical infrastructure cybersecurity.  See Executive Order – Improving Critical Infrastructure Cybersecurity, http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity (February 12, 2013). In the Executive Order, President Obama notes that it is the policy of the United States to “maintain a cyber environment that encourages efficiency, innovation, and economic prosperity . . . .” The Executive Order states that this policy can be achieved “through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.”
More specifically, the Executive Order calls for the development of a Cybersecurity Framework by the Director of the National Institute of Standards and Technology. The Cybersecurity Framework will provide “a set of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks” and “shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.”
Although the Executive Order requires owners and operators of critical infrastructure to adopt the Cybersecurity Framework, other entities may also be required to adopt the framework. Section 8 of the Executive Order establishes “a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities.” Further, the Executive Order provides that sector-specific agencies may “develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.”
We do not yet know which sector-specific agencies will adopt the Cybersecurity Framework, but both the Securities and Exchange Commission and the Federal Trade Commission have already been active in the cybersecurity area. In 2011, the Securities and Exchange Commission provided guidance regarding the disclosure requirements for public companies arising from cybersecurity risks. Meanwhile, the Federal Trade Commission has actively prosecuted several actions within the last year against various companies based on their alleged failure to maintain appropriate cyber-security measures. Given these agencies’ interest in cybersecurity, it seems likely that they will be among the sector-specific agencies that consider requiring regulated entities to implement the Cybersecurity Framework.
Even if a company is not currently considered part of critical infrastructure, the Executive Order acts as fair warning that cybersecurity regulation is soon coming. Moreover, with the imposition of regulation, there likely will be increasing private litigation against companies that experience a cybersecurity incident, with the potential for significant losses resulting from governmental fines or damages awarded in litigation.
Companies should act now to protect themselves from such losses, including examining their insurance portfolios to ensure that adequate insurance coverage currently exists. If a company does not have stand-alone coverage for cyber risk, companies should highly consider acquiring cyberliability policies that can protect against either third-party or first-party losses, or both. Third-party cybersecurity policies may provide coverage for:
- liability for permitting access to identifying information of customers;
- transmitting a computer virus or malware to a third-party customer or business partner;
- failing to notify a third party of their rights under the relevant regulations in the event of a security breach; and
- potential “advertising injury,” i.e., harms through the use of electronic media, such as unauthorized use or infringement of copyrighted material, as well as libel, slander, and defamation claims.
First-party cybersecurity policies may provide coverage for:
- the costs of providing notice to individuals whose identifying information was compromised;
- the costs associated with determining the scope of the breach and taking steps to stop the breach;
- public relations services to counteract the negative publicity that can be associated with a data investigation;
- the costs of responding to government investigations;
- the costs of replacing damaged hardware or software;
- the costs of responding to parties vandalizing the company’s electronic data; and
- business interruption costs.
Moreover, cybersecurity insurance coverage is in its infancy and there has not been the standardization of policy language. Accordingly, negotiation of policy language is possible and critical.
 The Executive Order defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
Posted: Feb 15, 2013