Best (and worst) of 2011: Cyber risk

Experts disagree on whether U.S. Securities and Exchange Commission guidelines, issued in October, that for the first time formally ask public companies to disclose cyber attacks against them, is the best or worst development in the cyber risk area this year.

But they agree it is highly significant.

Richard J. Bortnick, a member of law firm Cozen O'Connor P.C. in West Conshohocken, Pa., who classifies it as the “worst” development, said, the guidance “will increase the need for insurance. It will cause public companies, if not private companies, to take a much harder look at their cyber security, and its practices and procedures, and it will force insurance brokers to get their arms around what this insurance product really is.” Alternatively, said Mr. Bortnick, “it will engender lots and lots” of directors and officers liability cases.

Robert Parisi, senior vp at Marsh Inc.'s FINPRO practice in New York, who categorized it as the best development, said the guidance is particularly important in recognizing and establishing “that computer technology information security is really an operational risk, corporate governance issue that “is as important an issue as any other piece of a company's operations,” including merger and acquisition activity, for instance. While the guidance “didn't change any real rules,” it “is making it clear that we all need to be aware of this,” said Mr. Parisi.

Mr. Bortnick's choice for the best development is that “the incidence and magnitude of cyber risk have finally put the exposures and risks on companies' radars. It's forced insurance brokers to accept the reality that they've got to start learning and marketing such coverages.”

Mr. Parisi said the worst development has been plaintiffs attorneys' aggressive activity in this area. Whenever there is a breach, “that's a pool of potential plaintiffs they can create a class around, and they're bringing class actions literally within a day, two days” after a breach has occurred, he said.