Cyber Insurance: A Pragmatic Approach to a Growing Necessity

Cybersecurity has become an increasing focus of financial regulators. Insurance companies are stepping up to help deal with the risk of cyber attacks.  Bruce Carton’s CyberSecurity Docket hosted a great webinar on cyber insurance. These are some of the highlights.

CD-large2.51

John Reed Stark is President of John Reed Stark Consulting LLC, a data breach incident response and digital compliance firm. 

David R. Fontaine is Executive Vice President, Chief Legal & Administrative Officer and Corporate Secretary of Altegrity, a privately held company that among other entities owns Kroll’s data breach response services. 

The industry has accumulated the actuarial data needed to underwrite the damages and likelihood of a cyberattack. But the market is still very new and evolving. There is no standard policy language.

One focus is what will be covered by the insurance. There are three areas of losses:

  1. liability (lawsuits from customers for the breach)
  2. breach response cost (notifying customers of the breach)
  3. government fines/penalties.

You also need to focus on what triggers the coverage: a lost laptop, internet intrusion, data sourced from the company.

The coverage will be based on some detailed reps and warranties. You need to make sure they are right and you understand them.

Here is an incident response workflow:

  1. Preserve. Assmble the team, unhook the infected machines
  2. Digital Forensic Analysis: figure out what happened to the machine
  3. Logging analysis: figure out how the machine was accessed
  4. Malware reverse engineering.
  5. Surveillance
  6. Remediation efforts
  7. Exfiltration analysis. Figure out what was taken.
  8. State regulatory analysis. There are 47 different regulatory schemes.
  9. Federal regulatory analysis. Everyone thinks they have jurisdiction.
  10. PCI Compliance, if credit card data was involved
  11. Law enforcement liaison.
  12. Customer notifications

It’s clear that every company is at risk for a cyber attack. If bad guys want to attack, you can’t stop them. Insurance may be able address some of the risk and damages.

Sources:

 

 

The SEC’s Asset Management Unit

Yesterday, Bruce Carton of Securities Docket hosted a webinar: The SEC’s Asset Management Unit and Strategies for Avoiding Trouble in 2011 and Beyond. He managed to get Bruce Karpati, the co-head of the SEC’s Asset Management unit, to participate. Also joining the presentation were John Reed Stark, Managing Director of Stroz Friedberg and former Chief, SEC Office of Internet Enforcement; and Bradley J. Bondi, a litigation partner at Cadwalader, Wickersham & Taft LLP and former counsel to SEC Commissioners Troy Paredes and Paul Atkins for enforcement matters.

The SEC’s Asset Management Unit focuses on investment advisers and investment companies. If you run a private fund, this unit is keeping an eye on you.

You can see replay of the presentation yourself, but here are the things that caught my attention:

Private fund registration under Dodd-Frank is very important to his unit. They work closely with OCIE. They are looking forward to the new data that will come from fund registration and Form PF.

They are especially concerned about the level of transparency, even for private funds, and the information given even to institutional investors.

Weak and fraudulent valuation processes are high on his list of concerns. In particular, he is concerned about private funds with an incentive to overvalue assets. He mentioned the Palisades funds use of side pockets that lead to an enforcement action. He also mentioned the

Another highlight was “investment drift.” Make sure that your investment activity is not wandering from the areas that you told your investors you were going.

Of course, insider trading and expert networks are taking up a fair amount of his unit’s time and energy.

He raised the “suspicious performance investigation” where the SEC is looking at funds that have consistently outperformed market. The leading example is the Madoff scandal. Madoff’s outlying performance should have been a red flag for investors. The SEC wants to spot these kind of problems.

He is looking at adviser background misrepresentation. It sounds like they are ready to bring fraud charges for misstating educational background and experience.

Stark praised the unit. As a lawyer who would be on the opposite side of the table he would prefer someone with specialized knowledge of the investment management industry than a generalist enforcement lawyer.

Stark focused on the In the Matter of AXA Rosenberg Group LLC, et al.(Feb.2011) involving a flaw in the computer model for a quantitative fund. The model’s algorithm had a flaw that resulted in under-performance. This is tough one for compliance because the compliance geeks are rarely in the room with the math geeks.

Bondi laid out a series of compliance policies and issues that new investment adviser registrants should be concerned about.  He spent a great deal of time focusing on privacy and security breaches. (Maybe too much for the focus of this presentation.)

Sources:

participants in April 5 Webcast, Karpati, Stark and Bondi