In March, the SEC released its proposed new rules for cyber reporting under Form 8-K. Specifically, the SEC seeks to require an organization to report “material” cybersecurity incidents within four business days after it determines that such an incident occurred.
Other changes would seek enhancements to annual disclosures in the form of 10-Q and 10-K updates to 8-K disclosures, including an organization’s changes in cyber resilience and policies resulting from a reported incident. The SEC rules would also require enhanced disclosures concerning cyberrisk assessment programs; information concerning the retention of consultants, auditors and third party vetting; risk management efforts both on the front end and in the wake of a breach; the development of plans to ensure business continuity and recovery after an incident; self-evaluation from prior incidents and corresponding changes to computing procedures; and a “wide-angle” risk assessment addressing cyber perils.
While it remains to be seen what the final rules will look like, the proposal has raised some concerns. Perhaps the most vexing is the four-day reporting period following a determination of materiality, given the realities and uncertainties that linger for the first phases of forensic review after an incident. Another noteworthy aspect of the proposed rules is the requirement of highly specific disclosures regarding designated officers overseeing a company’s cybersecurity policies and procedures. While disclosure can be necessary to ensure accountability, this information could also be used by hackers to gain an advantage in their system intrusion efforts.
Ultimately, the SEC will likely provide a more stringent set of disclosure and reporting requirements for organizations under its purview in the future.
Directors and officers are already under greater scrutiny for their organization’s cybersecurity and resilience. Shareholder derivative and securities class action suits alleging failures on this front have already targeted several public companies, with liability exposures reaching as high as nine figures in certain cases. The expense of defending these suits has also been substantial, regardless of outcome. Accordingly, the civil litigation perils cannot be overlooked. State and federal regulators may also pursue redress, further increasing the liability exposure.
Inventory and Preserve Your Insurance Coverage Benefits and Rights
With the scourge of ransomware and the heightened scrutiny of company boards in the wake of a cyberattack, some insurance underwriters are approaching insurance policy terms for cyber far more cautiously than in years past. Increased premiums and attempts to sublimit important insurance protection have become more prevalent over the last several months. In the D&O insurance realm, some underwriters are reportedly looking into restricting or even eliminating D&O coverage for cyber-related claims. Whether public companies are ever actually faced with such exclusions remains to be seen, but reportedly some private companies have already encountered such exclusions.
Quality cyber insurance in the current environment is particularly useful, as it can expressly cover regulatory defense costs as well as regulator-imposed litigation damages and penalties. Cyber insurance may also cover organizations and their managers for alleged failures to comply with policies restricting the disclosure, and for alleged sharing or selling of personally identifiable information (PII) or failure to correct inaccurate PII, but such coverage may be conditioned on having a data management policy already in place.
Quality D&O insurance provides valuable protection from cyber liability given that it provides broad “wrongful acts” coverage and as yet rarely contains (in the case of public companies) an exclusion for cyber claims or claims brought under federal or state securities laws. When facing multi-faceted cyber incidents, directors, officers and their organizations likely have important insurance coverage protection under other types of policies as well, including under crime, property, inland marine, general liability, and E&O insurance.
Additional Cyber Risk Management Considerations
Of course, cyberrisk management does not stop with the purchase of insurance. Senior company management can further protect themselves and their organizations through various means.
From a broad management standpoint, it is important they keep themselves informed of the risks, dedicate the necessary IT security resources to safeguard systems and mobile devices, and employ network security specialists including CISOs. Other important steps include data mapping to better understand what and where information resides in the company network, and securing systems when third parties, cloud computing services and vendors are used and given access, whether on your own servers or the servers of third parties. Regular patching and updating of systems and software; retiring of legacy systems that are no longer supported; credentialing data access within the organization; using encryption technology; and limiting the use of new technology until it is battle-tested from a security standpoint are also essential steps.
The SEC’s proposed new cyber rules are an unmistakable marker of the shape of things to come. It is likely that in the future, officers and boards will be under greater scrutiny from a host of stakeholders, including regulators, when it comes to responsibly discharging their duties and oversight of cybersecurity.