We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:



What Boards Need to Know About Cyber Insurance and Regulatory Change


The escalating pace and scale of cyber-attacks, as well as the growing financial stakes, is making cyber risk a regular item on boardroom agendas. Company directors need to be increasingly focused on protecting the firm from the significant economic impact of cyber events, including revenue loss, recovery expenses, liability costs, and regulatory fines.

Regulators also are more actively looking at how organizations address cyber risks and how they manage their responsibilities to key stakeholders. In 2018 the US Securities and Exchange Commission approved new interpretative guidance that outlines requirements for publicly traded companies to disclose cybersecurity risks and material incidents (see sidebar).

So even as the financial costs of cyber threats rise, the regulatory stakes are also rising as more regulators impose stricter requirements on businesses.

The increasing adoption of insurance to transfer cyber risk and a more rigorous regulatory approach to cyber risk management dovetail in numerous ways. Many of the new regulatory requirements and guidance around cyber risk assessment, prevention and management, executive and board-level ownership, and event disclosure and response, are the same practices that should inform an organization’s decision-making around cyber insurance investment. The assessment, evaluation, and modeling processes that are essential foundations for purchasing cyber insurance are, in many ways, aligned with the practices called for in the SEC’s guidance.

Given the increasing business risk of cyber events – from business interruption to revenue loss to regulatory enforcement actions – corporate leaders need to understand their responsibilities in understanding and protecting their companies from those risks. They are advised to align their policies and practices to abide by the SEC’s recommendations and to consider insurance market coverage that can help protect against cyber event-related losses and regulatory liabilities.