The Intersection Between the Rules & Insurance Coverage
In the ever-evolving cyber threat and regulatory environment, the role of the Board of Directors and Senior Executives is undergoing profound transformation. The frequency and severity of ransomware attacks have pushed lawmakers and regulators to reevaluate the need for heightened cyber oversight and reporting obligations. In July 2023, the U.S. Securities and Exchange Commission (SEC) announced new cybersecurity rules applicable to publicly listed companies and foreign private issuers. These new rules, effective December 2023, require two types of disclosures:
- Annual Cybersecurity Risk Management, Strategy and Governance Disclosure: Public companies will now be required to provide a description of their process for identifying and managing cybersecurity risk as part of their annual 10-K filings. The description in the Form 10-K will need to be sufficiently detailed to allow a reasonable investor to understand the process.
- Material Cyber Incident Reporting Disclosure: In the event a public company experiences a cyber incident, the new rules require the company to: (1) Promptly determine whether such incident is “material”; although there is no set time limit, the rules require this be done “without unreasonable delay after discovery of the incident”; and, (2) If such incident is deemed to be “material” the company must disclose the incident, in a Form 8-K filing, within four (4) business days of making such determination.
Board members and senior executives of public companies now find themselves in an environment of increasing transparency when it comes to cybersecurity risk management, governance, and incident reporting. With this increase in transparency, we are likely to see an increase in claim activity in the form of civil litigation and regulatory enforcement actions, at least initially. At this point, the impact on the insurance market – specifically, Director & Officer (D&O) Liability Insurance and Cyber Insurance – is uncertain but something to watch closely.
With these new rules now in effect, we offer organizations the following tips, strategies, and considerations:
- Review Relevant Insurance Risk Transfer Products – D&O and Cyber:
- The new rules should prompt renewed discussion about limit adequacy for both D&O and Cyber. Although traditional public company benchmarking data does contemplate exposure to SEC enforcement actions and shareholder lawsuits, the new SEC cybersecurity disclosure rules complicate and broaden that exposure significantly in a manner not currently contemplated or fully known
- Consider the fact that the limits available under a Cyber insurance policy will likely impact the materiality determination and ultimate need to report. Executives should be aware of the current available limits and consider whether they remain adequate.
- Review and Understand Coverage Provided in Your D&O and Cyber Policies:
- Although most public company D&O policies do not (yet) specifically exclude coverage for claims arising from the new SEC rules, there may be certain provisions within the policy wording that could operate to preclude or limit coverage depending on the facts presented. These are new rules, and thus exposure is expected to increase. Accordingly, it is possible insurance carriers will look to apply policy wording in new and unique ways to try to contain large losses.
- Evaluate whether uninsured D&O exposures exist, especially in the context of a cyber event. Review the insurance policy for cyber exclusions and consider whether your key IT executives would, could, or should qualify as a director or officer.
- Remember, most Cyber insurance policies contain broad securities exclusions and are not intended to cover D&O liabilities, nor SEC enforcement actions. The value of having a comprehensive Cyber insurance policy will be to assist the organization in the initial response to the event itself and to transfer some of the financial costs associated with that response.
- Prepare for Enhanced Underwriting at Insurance Renewals
- Review and update Incident Response Plans such that they incorporate the SEC reporting requirements, including considerations around what types of events would rise to the level of “materiality,” which would warrant an 8-K filing.
- Make sure your insurance applications align with your public disclosures. Cyber applications require disclosure of information relating to an organization’s cybersecurity risk management, governance, and incident reporting – very similar to what the new SEC cybersecurity rules will require in 10-Ks. Be cautious about inconsistencies. The same is true with respect to incident reporting on an 8-K and incident reporting to a Cyber insurer.
There is no question the new SEC cybersecurity rules will have a transformational impact on how all organizations, not solely those covered by the new rules, approach cybersecurity and cyber incident reporting. This new mandate of transparency will also impact insurance risk transfer products as well as insurance markets and underwriting. Compliance will be challenging and will require a cross-functional team within the organization, as well as a well-developed and nimble internal communication strategy.
