SEC Spotlights Cyber

The industry hasn’t really come up with a nickname for it yet, but it’s regulation S-K, item 106. The purpose of it is to foster consistency amongst filers in disclosure standards, better allowing investors the opportunity to evaluate a company’s cyber risk.

As per the regulation, public filers must describe their cyber posture and their process and board oversight, demonstrating their ability to assess, identify, manage, and remedy cyber risk and cyber events.

With this rule comes a timely incident-reporting trigger: that, within four days of the company determining materiality, they need to disclose the breadth of the event as well as their strategy to remediate. This can be a big burden that has a material impact on our insureds. These are all-hands-on-deck moments for the insured.

There’s a heavy administrative burden where they have to do a sanctions check and work with compliance, work with outside counsel, inside counsel, facilitators, negotiators, regulators and law enforcement, and determine the materiality of what can be a very complex event.

These hackers are sophisticated parties. The technologies they use are cutting edge, and the company may not even fully understand the scope of the matter. I think it’s a big burden. And I think four days is severe, even for the most sophisticated of insureds.

If you consider the more resource-constrained smaller reporting companies, it’s an even taller burden for them to fulfill. We have clients that are pre-revenue with very lean management teams and don’t necessarily have the robust risk management practices that you see for the Fortune 100.

These events can lead to share volatility and scrutiny on how managers manage this event. And post incident, the companies are going to be scrutinized for their pre-event cyber disclosures, what they said to the world and how well they were prepared for it, their post-event disclosures, and the actual handling of the event. It is very easy to foresee plaintiffs firms alleging an overstated strength of cyber posture or a downplayed assessment of the initial incident, alleging investors were falsely informed, when in reality, there is an evolution to the discovery.

The coverage already considers event-driven securities litigation. So should this lead to a securities claim, I don’t think there’s really any need to modify your contract wording. D&O underwriters are now sounding more like cyber underwriters in our meetings as we ask about cyber posture and readiness plan should an event happen.

For the most part, I think it’ll be business as usual for risk-managed companies.

While D&O policies do speak to regulatory matters, they have varying degrees of entity coverage. Typically a public D&O contract is for the directors and officers and the entity of the company, but the entity is typically only covered for securities claims. While there will be some regulatory coverage for the individuals, and the definition of insured person tends to be very broad, clients should ensure their policy includes officers of the company such as their CISO.

Where I think you could find a potential gap in coverage is in the entity coverage for the regulatory matter that comes along with it. If there’s an SEC inquiry or regulatory matter, policies typically provide some form of regulatory coverage for the individuals and sometimes for the individuals and the company on a co-defendant basis. But not often for the company on a stand-alone basis. There are a lot of bespoke policies out there, with a broad variety of coverage enhancements, that may resolve such gaps in entity coverage.

I think it’s worth it for insureds to work with their brokers, work with their carriers, do a cross-policy analysis and see where they may be bare, because there may be areas of gap between various products—between the cyber product and the D&O product, between the GL and the E&O and whatever other products they purchase. It’s worth it for insureds to take a broad look at their risk matrix and see where there may be gaps in coverage and work with their carriers to find solutions.

Yeah, I think anytime you have a new regulation, there’s opportunity for failure—or at least the allegation of failure. I think it’ll contribute to frequency of claims. It’s to be determined if it contributes to severity of claims. But the plaintiffs bar is good at whipping these things up.

I absolutely think this will contribute to litigation, especially now that there are more areas to be critiqued, including the initial assessment of their cyber posture, the assessment of the event itself, and then the scrutiny of managing the event. If any one of those areas goes wrong—we will see the headlines.