D&O in Cyber Spotlight
A recent global report by WTW and Clyde & Co. said cyber attacks, data loss, and cyber extortion are the top risks facing boards of directors and executives.
Cyber attacks and data loss have been in the top two slots since 2018, but cyber extortion was a surprise newcomer in third place this year, with 59% of respondents listing it as a key risk. We can thank ransomware for that.
The report notes that, while U.K. courts have tried to limit the scope of damages for immaterial cyber losses, “there is an evolving body of case law on a European level in terms of a company’s liability in this regard and an increasing risk that insufficient engagement with cyber issues poses a liability risk for directors and officers (D&Os) on many fronts, including class actions.” This tracks a U.S. trend of shareholder and securities lawsuits filed against directors and officers following major cyber incidents for failure to implement reasonable security controls or for misrepresenting cyber risks to investors. Even if the cases do not fare well in the courts, they usually settle on appeal, thereby ensuring these suits will continue. Boards that do not have a cyber governance framework in place, don’t monitor compliance with privacy and cyber-security requirements, and don’t make appropriate disclosures to investors are increasingly likely to face D&O litigation.
Violet Sullivan, law professor at Baylor University School of Law and renowned expert on incident response, recently noted in CPO Magazine that personal liability is a risk for directors and officers who knowingly fail to meet their oversight responsibilities: “Recent lawsuits, such as the T-Mobile shareholder derivative lawsuit filed in November 2021, indicate that D&O personal liability is a dramatic and new concern, particularly when it is alleged that the directors and executives ‘aided, abetted, and/or assisted each other in breaching their respective duties’ [citing The D&O Diary].”
Sullivan also mentions that “there are plenty of recent cases in the discovery phase that will be interesting to watch in the area of D&O liability, including In Re SolarWinds in the Western District of Texas.” In the SolarWinds complaint, defendants include the company’s CEO, CFO and VP of security architecture plus two private equity firms each owning about 40% of the company. The suit alleges the defendants failed to implement appropriate cyber-security measures and engaged in material misrepresentations or omissions. A motion to dismiss was denied in March 2022.
Here Come the Regulators
U.S. regulators are seemingly tired of trying to coax, cajole and coerce corporate leaders into managing cyber risks. The Securities and Exchange Commission made a big splash on March 9, 2022, when it released proposed rules on cyber-security risk management and governance. SEC chair Gary Gensler stressed that both companies and investors would benefit if cyber-security disclosures were presented in a “consistent, comparable, and decision-useful manner.”
The proposed rules require companies to report material cyber-security incidents and to provide periodic updates on previously reported cyber-security incidents. The proposed rules also require periodic reporting about a company’s cyber-security policies and procedures to identify and manage cyber risks. In addition, they separate board oversight responsibilities and management’s role in assessing and managing cyber-security risks and implementing the cyber-security program. The proposed rules require annual reporting or certain proxy disclosure about the board of directors’ cyber-security expertise, if any.
The 60-day comment period on the proposed rules closed on May 9, with nearly 150 comments submitted from a wide range of stakeholders. Certain provisions in the proposed rules attracted more attention than others. David Navetta, vice chair of law firm Cooley’s cyber/data/privacy practice, reviewed the comments and notes some of the top issues raised by commentors and their proposed approaches. “This rulemaking has the potential to significantly impact public companies and will certainly be looked upon by other regulators, so it is important that problem areas be analyzed and other approaches considered,” says Navetta.
Reporting of Material Incidents: In an attempt to correct the perceived underreporting of material cyber incidents and delays in reporting, the SEC included a requirement in the proposed rules that a company must disclose material cyber-security incidents in a Form 8-K within four business days after it determines it has experienced a material incident. Although the four-day rule already exists for Form 8-K, the rub is in the requirement of determining materiality and reporting on it within four days. The proposed rule requires the following information be included on the 8-K about an event, to the extent it is known:
- When the incident was discovered and whether it is ongoing
- A brief description of the nature and scope of the incident
- Whether any data were stolen, altered, accessed or used for any unauthorized purpose
- The effect of the incident on the company’s operations
- Whether the company has remediated or is currently remediating the incident.
Anyone who has ever been involved in a serious cyber incident knows that answers do not come swiftly in forensic investigations and many of the early “answers” are later revised. Four days is too soon to know this level of information. Moreover, the purpose is not achieved if investors are provided early but wrong information. Navetta sensibly suggests, “A more appropriate standard would follow many state breach laws and require reporting a material incident ‘without unreasonable delay.’”
Law Enforcement and National Security Exceptions for Reporting: The proposed rules do not provide for a delay in reporting material incidents if based on a request from law enforcement or for national security considerations. Navetta correctly notes that announcing a material incident within four days can (1) tip off the criminals, result in further damage to the company’s systems and/or data, and impede attribution and arrest of the criminals or (2) alert the public to an attack before a patch is available, putting critical infrastructure and a wide range of companies at risk. “Requiring reporting first to law enforcement (with confidentiality guarantees) or allowing a delay until a patch is available would at least allow companies to safely manage these important issues,” Navetta explains. The SEC, however, said in the proposed rules, “On balance, it is our current view that the importance of timely disclosure of cybersecurity incidents for investors would justify not providing for a reporting delay.”
Definition of Key Terms: Comments to the SEC rightly note that varying definitions of “cyber-security incident,” “cyber-security threat,” and “information systems” create ambiguities and compliance issues. NIST, the Cybersecurity Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), presidential policy directives, and the SEC each have varying definitions of these terms. “The problem here is that cyber incidents range in severity and impact,” notes Navetta. “Although the comments clearly called for consistent definitions, on a practical level [when] taking action on a particular event, including reporting, the focus should be on the particular circumstances of the event and its potential impact to the company, not the vagaries or ambiguities inherent in a particular definition.” Navetta suggests the analysis should consider the impact on data or systems, the financial impact of the incident, and the certainty of the investigation.
Disclosure of Cyber Risk Management, Strategy and Cyber-Security Program: Many commenters raised the age-old argument that providing disclosures on a company’s cyber-security program and risk management strategy would be giving the criminals “keys to the kingdom.” That is a scare tactic and not supported by common sense. Most companies go to great lengths to protect information about their cyber-security controls; moreover, the details of how a company has implemented its program is not what is being sought by the SEC.
All public companies should be pegging their cyber-security program to one or more standards and best practices. Stating that is not a risk. Navetta raises the concern, however, that “having to make broad statements about security risks can expose a company to liability if those statements prove to be incomplete, inaccurate or not adequately qualified. This is especially true for larger or more complex organizations whose information security controls and risks may vary throughout the organization.” Maybe so, but this is a requirement many of us in the security field have been requesting for 20 years. It is time for companies to make these disclosures, because it will help advance cyber-security maturity in these organizations.
On June 29, 2022, the Office of Management and Budget’s Office of Information and Regulatory Affairs placed the SEC Cybersecurity Rule in “Final Action” and noted it was scheduled for April 2023. It remains to be seen what amendments, if any, will be made to the proposed rule, but it seems certain that the SEC is going to come down on the side of the investor over the convenience of the public company or assistance to law enforcement.
The bottom line is that companies need to take action now to protect against D&O lawsuits and meet SEC compliance requirements. The SEC’s proposed rule actually goes a long way toward requiring cyber governance frameworks at the board and executive levels that will help protect investors—and shield the company against D&O lawsuits.
In these intervening six months, agents and brokers would do well to contact their public company clients and discuss their cyber insurance—particularly D&O coverage—taking into account the proposed rules and how they could impact each client. This is an ideal time for companies to add cyber-security expertise to their boards, conduct comprehensive cyber risk assessments, identify key risks, and specify cyber risk management responsibilities for directors and executives. Not only will these actions help position them for compliance with the SEC final rule, doing so will help them be more prepared in the event of a significant cyber incident and protect them against potential D&O litigation.