A new SEC cyberattack reporting rule has left public companies and insurers exposed to potential regulatory probes and shareholder class actions alleging senior executives failed to supervise their businesses’ cybersecurity practices.
The US Securities and Exchange Commission recently issued rules that formally outlined directors’ responsibilities in cybersecurity governance for the first time, laying the groundwork for potential enforcement actions.
The rule also set a road map for investors to bring derivative claims alleging a company’s senior executives breached their fiduciary duty by failing to manage cyber risks. And it put insurers on alert that they could find themselves exposed to underlying claims, insurance attorneys say.
“The plaintiff bar is drooling. They’re like, ‘when does this go into effect?’” said Kelly Geary of EPIC Insurance Brokers & Consultants.
Though the practice is not yet universal, a growing number of director and officer (D&O) policies are being drafted with cyber-related exclusions. Meanwhile, most cyber insurance policies exempt SEC enforcement actions and investor claims, but some cover allegations against a company’s executives over their cybersecurity roles.
As a result, public companies may soon find themselves in the “worst of both worlds,” where neither cyber nor D&O policies pay for legal bills over SEC investigations and investor lawsuits, said Steven Weisman, a partner at McCarter & English, LLP. D&O policies cover claims and regulator probes against a company and its directors.
“It’s time for public companies to reassess their insurance program to ensure that they have coverage,” Weisman said. “Some cyber policies cover fines and penalties from the FCC, the FTC, and state regulatory agencies, but not the SEC.”
The rule will accelerate D&O insurers’ efforts to exclude cyber incidents and privacy violations, Geary said. D&O carriers can rely on the exclusions to deny claims alleging directors were lax in their oversight of a cyberattack that exposed consumers’ and employees’ personal information. Insurance carriers will also conduct tougher underwriting for cyber risks and add more restrictive terms to current policies, brokers say.
“I’m sure D&O underwriters are thinking very hard about all of this,” Geary said, referring to regulator and investor claims that will likely stem from the SEC cyberattack reporting rule.
Board Scrutiny
In its adopted rule, the SEC asked companies for the first time to describe their senior executives’ roles and expertise in managing cybersecurity threats, which often include business interruption and reputational damage after a cyber incident.
The cyber literacy of Fortune 500 senior executives is often inadequate, and there has been an increase in shareholder derivative suits that specifically target board members about cyber failures, insurance analysts say.
The rule will embolden plaintiffs to bring duty-of-oversight claims against companies and their directors, and “make a public company’s insurance application process more onerous” because underwriters will grill policyholders over their cybersecurity procedures, said Geary.
Businesses should be vigilant in the next annual renewal cycle of their general liability, cyber, and D&O policies to check whether insurers are adding new restrictions in response to the SEC rule, said Weisman.
“Now that the SEC is regulating cyber disclosures, there may be an incentive for D&O insurers to not want to insure that risk or to only insure that risk for additional premiums so we might start to see more cyber exclusions,” said David Cummings, a Reed Smith LLP partner who represents corporate policyholders.
There’s a potential flip side: If a company can show it has mature cybersecurity measures, insurers may offer “more favorable terms, better coverage, and lower deductibles,” said Katherine Keefe, cyber incident management leader at broker Marsh McLennan. But carriers haven’t rewarded policyholders with premium discounts yet, she said.
Cyber Underwriting Data
On the whole, forcing companies to disclose cyberattack incidents and security measures will help insurers to make more accurate decisions about corporate cyber risks, said Avery Dial, a partner at Kaufman Dolowich Voluck, LLP.
“People will be able to see and compare what’s being done,” Dial said.
Cyber insurance is a relatively new product that has seen huge price jumps amid rising hacks in the last few years. Ransomware attacks against industrial organizations increased by 87% in 2022 from the year before, according to cybersecurity company Dragos Inc.
One of the key challenges for cyber underwriting has been the lack of historical and comparable data, because many companies have never reported their cyber incidents.
Last October, Uber Technologies Inc.’s former security officer was convicted of concealing a 2016 data breach that exposed the information of 57 million Uber users and drivers. Uber took a year to report the incident.
Now the SEC is telling public companies that they can no longer withhold that kind of information, said Marsh’s Keefe.
The publicly reported cyber data will give insurers a second source to verify what companies disclosed on their insurance applications, said Cummings. More transparency around companies’ cyber measures will also help to stabilize cyber insurance prices, he said.
The disclosures may be of little use, however, for investors and insurers trying to forecast how a company will weather a cybersecurity incident because cyber risks are rapidly changing.
Even when a company has the strongest cyber security measures and insurance policies, there is no assurance that a future cyber incident will be covered “if a hacker is creating some new attack strategy that no one in the insurance or brokerage business thought of yet,” said Alex Sugzda, a partner at Cohen Ziffer Frenchman & McKenna who represents policyholders.
“The risk itself evolves at a rate that is more rapid than our annual policy period,” EPIC’s Geary said.