The U.S. Securities and Exchange Commission ("SEC") implemented rules governing registrants' disclosure requirements pertaining to cybersecurity risk management, governance, and incident reporting on July 26, 2023. These rules are likely to give rise to novel issues pertaining to public companies' insurance portfolios, in particular, directors' and officers' liability ("D&O") and cyber insurance policies. This post provides a short overview of the rules and some of the insurance issues likely to arise going forward.
The SEC's cyber security disclosure rules and increased exposure
The new rules require registrants to disclose information in three categories: (1) cybersecurity risk management; (2) cybersecurity governance; and (3) cybersecurity incident reporting.
With regard to cybersecurity risk management and governance, public companies are now required to annually report their cybersecurity risk processes and governance of risks in Form 10-K SEC. Under the cybersecurity risk management disclosure rules, registrants have to describe how they assess, identify, and manage material cybersecurity risks and whether they have materially affected or are reasonably likely to materially affect their businesses. Similarly, under the cybersecurity governance disclosure rules, registrants have to describe board oversight of cybersecurity risks and the role management plays in assessing and managing material cybersecurity risks.
The cybersecurity incident reporting rule requires public companies to disclose any "material" cybersecurity incidents within four days of determining such incidents to be material by submitting a public SEC filing via Form 8-K. A cybersecurity incident is "material" if "there is a substantial likelihood that a reasonable shareholder would consider it important" in making an investment decision or if it would have "significantly altered the 'total mix' of information made available. Upon a determination that a cybersecurity incident is material, registrants are required to describe in their Form 8-K submission the incident's nature, scope, and timing, as well as any material impacts or reasonably likely material impacts the incident will have on the registrant's business.
It is not difficult to see how these new rules increase public company exposure. Registrants that disclose cybersecurity incidents face increased exposure to both consumer privacy violation class action lawsuits and shareholder derivative or other securities claims alleging D&Os breached their cybersecurity governance responsibilities or made misrepresentations in connection with the purchase or sale of securities. Plaintiffs' lawyers will now be equipped with public information that has the potential to provide the basis for such claims, likely leading to an increase in such lawsuits.
D&O insurance implications
As a result of the cybersecurity risk management and governance disclosure requirements, registrants are almost certain to face more lawsuits alleging breach of duty or oversight claims. Now that plaintiffs' lawyers will have access to public companies' cybersecurity risk management and governance disclosures, there is likely to be an increase in claims alleging registrants failed to prevent "material" cybersecurity incidents because their cybersecurity risk management and governance practices were inadequate.
Additionally, the incident disclosure requirement will likely create battles with shareholders and/or the SEC regarding whether registrants' materiality determinations were appropriate and/or timely. This is especially so given that the rules do not provide any definition of a "material cybersecurity incident," but instead simply adopt the definition of materiality outlined in existing securities laws. Policyholders will look to their D&O insurance as a source of coverage for claims arising out of the above scenarios.
While most D&O policies do not exclude coverage for shareholder derivative claims based on cybersecurity incidents, there are other exclusions that policyholders should review when placing or renewing coverage. Most D&O policies contain bodily injury and property damage ("BI/PD") exclusions that sometimes define "bodily injury" to include "invasion of privacy." Securities and shareholder derivative claims following disclosure of a cybersecurity incident could potentially arise out of an invasion of privacy, so registrants should carefully review their policy to see if it includes a BI/PD exclusion and whether its specific terms might become problematic. Another notable exclusion precludes coverage for claims alleging violations of certain federal or state laws, which may include various statutory schemes, such as unfair business practices or consumer fraud. This exclusion should not be applicable to securities claims or shareholder derivative claims asserting violations of cybersecurity-related federal or state laws based on a regulated company's disclosures, but it would be worthwhile to review these exclusions in advance.
Cyber insurance implications
As for cyber insurance, the new rules are almost certain to lead insurers to adopt more stringent underwriting practices. It will behoove public companies to be extremely meticulous and careful in filling out applications for cyber coverage, given that their cybersecurity practices will be public. In the event of a cybersecurity incident, insurers will now have the ability to scrutinize registrants' publicly available cybersecurity risk management and governance practices and procedures, and there will almost certainly be coverage denials based on the insureds' actual cybersecurity practices and procedures being allegedly inadequate or inconsistent with their disclosures. To avoid this sort of "post-loss underwriting," the application process is now even more important than it was before. Registrants should have those working on SEC disclosures work closely with personnel responsible for cyber insurance applications to be as certain as possible that all disclosures are accurate and consistent.
Apart from the application process, registrants should also try to ensure that their policies provide coverage for their increased exposures resulting from the new rules. There is little standardization across cyber insurance policies, but some of them may cover claims alleging executives failed to fulfill their cybersecurity roles. This creates an avenue for coverage for D&Os alleged to have breached publicly disclosed risk management and governance practices pertaining to cybersecurity. Cyber insurance policies may also provide third-party liability coverage for privacy violations and consumer class actions.
Although cyber policies often cover assessments of fines and penalties in investigations and adversarial proceedings involving the FCC, the FTC, and state regulatory agencies, they generally exclude coverage for securities claims. Regulated companies should closely review their D&O and cyber policies during placement and/or renewal to close potential coverage gaps likely to arise from the SEC's new cybersecurity disclosure rules.
This article is presented for informational purposes only and is not intended to constitute legal advice.