The SEC public company cyber disclosure rule raises issues that companies should consider in reviewing existing insurance coverage and in assessing overall risk.
The SEC recently adopted a new cybersecurity disclosure related rule (the "SEC Cyber Disclosure Rule")1 in response to increasing risks associated with cyber incidents and a perceived need for investors to receive more fulsome corporate disclosures about cybersecurity risks, governance, and material incidents. In prior efforts to improve consistency and accuracy of public company cybersecurity risk disclosures, the SEC issued interpretive guidance explaining how cybersecurity risk and incidents should be communicated based on long-standing requirements to periodically—and as needed—disclose material information to shareholders.2 But in spite of this guidance, in the SEC's view corporate disclosure practices remained inconsistent, under-disclosure persisted, and investors lacked consistent information by which they could evaluate public companies' cybersecurity risk. In July 2023, the SEC adopted the SEC Cyber Disclosure Rule, which mandated new disclosures among other things, and which became effective in December 2023.
Public Company Cybersecurity Disclosures Under the New Rule
The 2023 SEC Cyber Disclosure Rule requires public companies to disclose material cybersecurity incidents, and materiality is assessed in the same way for cyber as in other securities contexts.3 In very general terms, materiality is "something that would be significant to a reasonable investor" and this test provides companies flexibility to assess materiality based on their specific circumstances. However, while the test for materiality is familiar, its application to cybersecurity is not, and boards and corporate disclosure functions have expressed a desire for more guidance to ensure they are assessing materiality in the same way that the SEC might later, with the benefit of hindsight.
Companies should assess incident materiality "without undue delay." If it is material, then within four days the company must disclose (1) the material aspects of the nature, scope, and timing of the incident; and (2) the material impact or reasonably likely material impact on the company, including the impact on its financial condition and operations. Materiality can be quantitative or qualitive, including factors such as harm to a company's reputation, relationships, or competitiveness, or the potential for litigation or regulatory investigations.
The SEC Cyber Disclosure Rule also requires registrants to periodically provide information about their cybersecurity risk management and governance. In their annual Form 10-K, companies must provide a detailed description of their processes for assessing, identifying, and managing material risks from cybersecurity threats. Disclosures must address corporate cybersecurity risk management and strategy, including the role of the board in assessing and managing material risks from cybersecurity threats, as well as management's role and cybersecurity expertise.
New Rule – New Risks
While intended to reduce perceived risks for investors, this new rule potentially creates new risks for companies. The first risk is that a company will inadvertently violate the SEC Cyber Disclosure Rule by failing to disclose a cyber risk or incident later determined to have been material. This risk may decline over time as the SEC issues more guidance on the types of facts it deems to be material, and case law develops around the new rule, which has not yet been the source of enforcement actions or litigation. And generally in pursuing enforcement actions in the cyber context, the SEC has focused on conduct that was arguably unreasonable and not just a foot fault on a close call regarding materiality. The rule also creates risks for companies by providing more information about cyber process and risk assessments that shareholders or others can try to leverage after an incident to argue the company failed to follow its own internal processes or meet reasonable industry standards.
The new rule also increases the risk of cyber incident related litigation by mandating disclosures that may later form the basis of shareholder and regulatory challenge. Disclosures about cybersecurity preparedness and response may lead to hindsight-based claims that a company failed to follow its disclosed processes or did not accurately describe them or material cyber incidents.
The SEC Cyber Disclosure Rule and Insurance
Mitigating these risks through insurance put companies squarely at the intersection of two types of insurance programs: directors and officers ("D&O") insurance and cyber insurance. Understanding the potential exposure public companies face from this SEC Cyber Disclosure Rule, and how related risks fit within the framework of a company's D&O and cyber insurance programs, will help to ensure that a company's insurance policies provide appropriate coverage for both its balance sheet and its directors and officers from potential SEC investigations and shareholder litigation.
The SEC has not yet brought an enforcement action based on violations of the SEC Cyber Disclosure Rule, but it has brought a variety of cybersecurity related process and disclosure claims under the pre-existing law, and this likely remains an area of active focus for regulators and private litigants. Corporate risk managers should take steps to ensure there are no coverage gaps between their current D&O and cyber policies in place for claims alleging violations of the SEC Cyber Disclosure Rule. Many D&O policies should respond to SEC Cyber Disclosure Rule claims. Gaps could occur if the company's D&O policy has a broad cyber-based exclusion, which could potentially exclude coverage for a securities claim arising from cyber incidents, and some cyber policies exclude coverage for securities litigation or SEC regulatory proceedings arising from cyber incidents. Alternatively, if neither policy contains an exclusion, a claim could trigger coverage under both the D&O and cyber policies. In that instance, a company may need to consider priority of payment issues and allocate loss between the two policies, including how to prioritize recovering loss under one policy as opposed to the other if the company is trying to maintain unimpaired limits under one of the policies.
D&O Insurance Implications
Public companies may face more lawsuits due to the new rule. First, registrants may see breach of duty or oversight claims against directors and/or officers because the new rule requires companies to disclose more information about their cybersecurity risk management and governance disclosures. That may lead to an increase in claims alleging that registrants failed to prevent cybersecurity incidents because their cybersecurity risk management and governance practices were unreasonable or because the company failed to follow its disclosed cyber risk management processes. Second, the SEC's Cyber Disclosure Rule may lead to disputes between companies and their shareholders and/or the SEC as to whether the company timely and adequately disclosed material cyber events. This is particularly true because the rules do not define "material cybersecurity incident," but instead simply adopt the definition of materiality outlined in existing case law. Policyholders should look to their D&O insurance as a source of coverage for claims based both on alleged failures to adequately protect against cyber risks and failures to timely disclose material incidents.
While most D&O policies do not exclude coverage for shareholder derivative claims based on cybersecurity incidents—and companies with such exclusions should work to remove them if they appear in policies at upcoming renewals—there are other exclusions that policyholders should review when placing or renewing coverage. Most D&O policies contain bodily injury and property damage exclusions that sometimes define "bodily injury" to include "invasion of privacy." Because securities and shareholder derivative claims following disclosure of a cybersecurity incident could potentially arise out of an invasion of privacy, registrants should carefully review their policy to see if: (1) it includes a bodily injury and property damage exclusion; and (2) whether the exclusions' specific terms might become problematic. To the extent a company's D&O policy has a bodily injury exclusion that extends to an "invasion of privacy" or has any other privacy exclusion that may encompass a cybersecurity event, the company should work to remove such exclusion and/or ensure that it has sufficient carveback language such that it would not apply to a breach of fiduciary duty claim against a director and/or officer or to a claim alleging a violation of securities laws against the company.
In addition, exclusions that preclude coverage for claims alleging violations of certain federal or state laws, which may include various statutory schemes, such as unfair business practices or consumer fraud should be reviewed in connection with the SEC's Cyber Disclosure Rule. These types of exclusions should not be applicable to securities claims or shareholder derivative claims asserting violations of cybersecurity-related federal or state laws based on a regulated company's disclosures, but registrants should be proactive in reviewing these exclusions in advance to ensure that their policies do not contain broadly worded versions of such exclusions that an aggressive insurer may argue applies to violations of the SEC's Cyber Disclosure Rule.
Cyber Insurance Implications
The new SEC Cyber Disclosure Rules may lead insurers to adopt more stringent underwriting practices and will prompt public companies to be vigilant in completing applications for cyber coverage, given that much more information about their cybersecurity practices will now be publicly available than before the implementation of the SEC Cyber Disclosure Rule. As a result, insurers can now scrutinize registrants' public disclosures regarding cybersecurity risk management and governance practices and procedures in the event of a cybersecurity incident. Insurers may consider attempting to deny or rescind coverage based on the insureds' actual cybersecurity practices and procedures being allegedly inadequate or inconsistent with their disclosures or cyber insurance policy applications. Moreover, many policyholders attach their SEC filings to their policy applications when completing annual policy renewals. Insurers may argue that SEC filings attached to a cyber renewal application are part of the policy application, and thus fair game in a subsequent dispute over whether the policy should be rescinded for breach of material representations made during the underwriting process if the SEC or a plaintiffs' lawyer argues that the representations were untrue. To avoid this sort of "post-loss underwriting," policyholder-applicants should carefully scrutinize "yes" / "no" checkboxes on cyber policy applications when more explanation is needed to adequately explain the answer to a question on the application, scrutinize representation and warranty language in policy applications, and discuss their applications with coverage counsel before submitting them.
Apart from the application process, registrants should also try to ensure that their cyber policies provide adequate coverage for their increased exposures resulting from the new SEC Cyber Disclosure Rules. There is little standardization across cyber insurance policies, but some policies may provide coverage for claims against the company alleging executives failed to fulfill their cybersecurity roles, regardless of whether those claims constitute a securities lawsuit that would typically be covered under a D&O policy. Because most cyber insurance policies lack uniformity from one insurer to another and forms are frequently updated, companies should be vigilant when changing insurers as well to ensure that their new coverage provides a similar scope of coverage to their expiring cyber policy.
Key Takeaways
The SEC Cyber Disclosure Rule creates some additional risks for public companies, beyond the new disclosure obligations alone.
- Public companies should expect that regulators, shareholders, and potentially others will closely scrutinize the additional details companies provide about cyber risk governance. The risk of litigation or enforcement increases to the extent that cyber practices or processes materially deviate from those the company disclosed.
- Directors and officers may be named individually in litigation or in enforcement actions. Corporate governance leadership should coordinate with their corporate risk team to ensure that the company has adequately broad coverage under both its D&O and cyber insurance programs to sufficiently protect the company against claims that could arise in the wake of the implementation of the SEC Cyber Disclosure Rule.
- All companies should work closely with their brokers and outside coverage counsel when renewing D&O and cyber coverage to avoid potential gaps in coverage for securities litigation and other exposures that could arise from a cyber incident or from a company's cybersecurity disclosures.
A link to the full SEC Cyber Disclosure Rules can be found here.
Footnotes
1. 17 CFR Parts 229, 232, 239, 240, and 249.
2. See CF Disclosure Guidance: Topic No. 2 – Cybersecurity, Oct. 13, 2011; and Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 33-10459.pdf, Feb. 26, 2018.
3. See SEC Cyber Disclosure Rule, 33-11216.pdf, pp. 14-15.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
