On July 26, 2023, the Securities and Exchange Commission (SEC) voted to approve new cybersecurity incident disclosure rules. The new rules require all public companies to disclose specific information regarding cybersecurity incidents and details of their cyber risk management, strategy and governance to the SEC. Some key provisions of the new rules include:

• Effective December 15, 2023: Mandatory disclosure of a material cybersecurity incident within four business days on Form 8-K
• Effective December 18, 2023: Mandatory disclosure of cyber risk management, strategy and governance on Form 10-K
• “Material” is described as reflecting “a substantial likelihood that a reasonable shareholder would consider it important” while making an investment decision, or if it would have “significantly altered the ‘total mix’ of information available”
  • Factors companies should consider include reputational harm, the likelihood of associated litigation or regulatory investigations and impact on competitiveness
• The cyber risk management, strategy and governance disclosure is designed to allow investors to ascertain a company’s cybersecurity practices, such as whether they have a risk assessment program in place, with sufficient detail for investors to understand the company’s cybersecurity risk profile

Prior to the new rules, corporate executives were involved in high-profile cases brought by the SEC involving alleged insufficient cyber incident disclosures, which resulted in significant fines and, in one case, criminal penalties. The new rules could increase the personal scrutiny on corporate officers and executives, such as CFOs.

How can you help protect your company from such exposures?

1. Cyber Insurance
   Cyber policies are designed to cover the incident itself but generally do not cover SEC actions or investor claims. Cyber policies generally exclude regulatory actions relating to securities laws and, in some cases, will specifically reference “the Securities Act of 1933, the Securities Act of 1934, the Investment Company Act of 1940, etc.” In light of the new rules, we anticipate that carriers will begin to clarify their securities exclusions and may move to cover a cybersecurity regulatory enforcement action.
2. Directors and Officers Insurance
   D&O policies are designed to cover a variety of claims against directors, officers and the company. Such claims can include SEC investigations, shareholder derivative actions and other related litigation, but typically involve some alleged breach or failure of duty of care. D&O policies may contain cyber exclusions, and it is important to review the breadth of the exclusion – whether it excludes elements that are truly cyber coverages (breach costs, extortion payments, business interruption, etc.) or whether it is an “absolute” exclusion that excludes anything relating to a cyber claim (which would then include SEC actions and shareholder derivative suits).

Conclusion

While the new rules could certainly increase scrutiny and possible exposure for companies and their executives, ensuring that you have robust insurance policies in place as part of your risk management portfolio can help provide a level of protection.

Cyber Team