A new SEC cyberattack reporting rule has left public companies and insurers exposed to potential regulatory probes and shareholder class actions alleging senior executives failed to supervise their businesses’ cybersecurity practices.
The US Securities and Exchange Commission recently issued rules that formally outlined directors’ responsibilities in cybersecurity governance for the first time, laying the groundwork for potential enforcement actions, according to Bloomberg.
The rule set a road map for investors to bring derivative claims alleging a company’s senior executives breached their fiduciary duty by failing to manage cyber risks.
And it put insurers on alert that they could find themselves exposed to underlying claims (see about Future of Global Cyber Insurance Market).
SEC Adopts Rules on Cybersecurity Risk Management
The SEC adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures.
Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investorsSEC Chair Gary Gensler
“Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.
An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.
The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.
The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K.
D&O insurance policies cover claims and regulator probes
According to D&O Insurance Insights, insurance policies cover claims and regulator probes against a company and its directors.
Though the practice is not yet universal, a growing number of director and officer (D&O) policies are being drafted with cyber-related exclusions. Meanwhile, most cyber insurance policies exempt SEC enforcement actions and investor claims, but some cover allegations against a company’s executives over their cybersecurity roles (see Top 5 Risk Trends D&O Insurance Market).
Public companies may soon find themselves in the “worst of both worlds,” where neither cyber nor D&O policies pay for legal bills over SEC investigations and investor lawsuitsSteven Weisman, a partner at McCarter & English
It’s time for public companies to reassess their insurance program to ensure that they have coverage. Some cyber policies cover fines and penalties from the FCC, the FTC, and state regulatory agencies, but not the SEC.
The rule will accelerate D&O insurers’ efforts to exclude cyber incidents and privacy violations.
Cyber insurance is at a decisive moment in its growth journey. Conditions are stabilising and by tackling key challenges around distribution, tail-risk and capital the market is on the cusp of transformational growth.
Strengthened cyber resilience is paying dividends, as improved underwriting results yield positive outcomes for insurance buyers.
D&O carriers can rely on the exclusions to deny claims alleging directors were lax in their oversight of a cyberattack that exposed consumers’ and employees’ personal information.
Insurance carriers will also conduct tougher underwriting for cyber risks and add more restrictive terms to current policies.
D&O underwriters are thinking very hard about all of this, referring to regulator and investor claims that will likely stem from the SEC cyberattack reporting rule.
Senior executives’ roles and expertise in managing cyber threats
In its adopted rule, the SEC asked companies for the first time to describe their senior executives’ roles and expertise in managing cybersecurity threats, which often include business interruption and reputational damage after a cyber incident.
The cyber literacy of Fortune 500 senior executives is often inadequate, and there has been an increase in shareholder derivative suits that specifically target board members about cyber failures
The rule will embolden plaintiffs to bring duty-of-oversight claims against companies and their directors, and “make a public company’s insurance application process more onerous” because underwriters will grill policyholders over their cybersecurity procedures.
Businesses should be vigilant in the next annual renewal cycle of their general liability, cyber, and D&O policies to check whether insurers are adding new restrictions in response to the SEC rule.
Now that the SEC is regulating cyber disclosures, there may be an incentive for D&O insurers to not want to insure that risk or to only insure that risk for additional premiums so we might start to see more cyber exclusionsDavid Cummings, a Reed Smith LLP partner
There’s a potential flip side: If a company can show it has mature cybersecurity measures, insurers may offer “more favorable terms, better coverage, and lower deductibles,” said Katherine Keefe, cyber incident management leader at broker Marsh McLennan. But carriers haven’t rewarded policyholders with premium discounts yet.
Cyber Insurance Underwriting
The size of the cyber insurance market could reach $50 bn by 2030, though the realisation of this potential is tied to three key factors: distribution, tail-risk management and attracting capital.
If these challenges can be navigated successfully, the cyber market is on the cusp of potentially transformational growth
Following a major market correction off the back of surging ransomware claims in 2020 and 2021, conditions started to stabilise last year as activity relented and more robust risk controls deterred or mitigated attacks.
On the whole, forcing companies to disclose cyberattack incidents and security measures will help insurers to make more accurate decisions about corporate cyber risks, said Avery Dial, a partner at Kaufman Dolowich Voluck.
Cyber insurance is a relatively new product that has seen huge price jumps amid rising hacks in the last few years.
Ransomware attacks against industrial organizations increased by 87% in 2022 from the year before, according to cybersecurity company Dragos
One of the key challenges for cyber underwriting has been the lack of historical and comparable data, because many companies have never reported their cyber incidents.
Last October, Uber Technologies’s former security officer was convicted of concealing a 2016 data breach that exposed the information of 57 million Uber users and drivers. Uber took a year to report the incident.
Now the SEC is telling public companies that they can no longer withhold that kind of information.
The publicly reported cyber data will give insurers a second source to verify what companies disclosed on their insurance applications.
More transparency around companies’ cyber measures will also help to stabilize cyber insurance prices.
The disclosures may be of little use, however, for investors and insurers trying to forecast how a company will weather a cybersecurity incident because cyber risks are rapidly changing.
Even when a company has the strongest cyber security measures and insurance policies, there is no assurance that a future cyber incident will be covered “if a hacker is creating some new attack strategy that no one in the insurance or brokerage business thought of yet,” said Alex Sugzda, a partner at Cohen Ziffer Frenchman & McKenna.
AUTHOR: Daphne Zhang – Bloomberg Law Insurance reporter