Jeremy King of Olshan Frome Wolosky analyzes cyber risk management issues that companies should prioritize in response to new SEC reporting requirements for cybersecurity incidents and threats.
With new SEC cybersecurity rules in effect, public companies face increased pressure to implement an enterprise-wide approach to risk assessment, loss mitigation, and incident reporting.
Cyber insurance is one part of a risk strategy. However, the impact of new SEC rules on the insurance market is uncertain, and market conditions suggest companies should begin reviewing their programs to prepare for new reporting requirements in annual reports for fiscal years ending on or after Dec. 15.
The New Rules
The new rules cover current reporting of material cybersecurity incidents and annual reporting of oversight and management of material risks from cybersecurity threats.
The incident reporting rule mandates Form 8-K disclosure within four business days of determining that a company experienced a material cybersecurity incident, with limited exceptions. This requires an in-place cyber threat analysis-and-response plan that incorporates obligations the company may have under its insurance policies. The annual reporting rule creates potential avenues of liability for board members and executives when disclosures made are inevitably tested in litigation.
Cyber Insurance Market
In May, Fitch Ratings reported an increase to over $7 billion in direct written cyber insurance premiums in 2022 from approximately $2 billion in 2018, and the demand continues. Rates increased at about 15% during the fourth quarter of 2022, versus 34% a year earlier.
But increased need due to cybersecurity events, as well as the uncertain impact of the new SEC rules, suggests public companies should work with counsel to proactively design a cybersecurity risk management plan that includes a robust insurance component.
Emerging Risk Management Issues
Plans should address liability for privacy violations, fraudulent transfer of monies, and even direct loss due to ransomware payments. The new SEC rules raise ancillary loss and liability concerns resulting from potential litigation over compliance and the adequacy of disclosures made in public filings.
This requires heightened diligence during the underwriting phase. As companies approach a cyber risk management environment that requires public reporting, they should pay attention to:
- Management Liability. Derivative and securities-related lawsuits generally fall within a company’s directors and officers insurance program. However, D&O policies may contain language that precludes coverage for losses arising from cyber incidents or hacking. Others may include invasion of privacy within exclusionary language applying to bodily injury claims. While some cyber liability policies contain limited coverage for management, the best course is to anticipate how new management liability risks will be covered rather than litigate how current D&O policy language applies to a lawsuit alleging failure to meet cyber reporting and disclosure requirements.
- Direct Losses. The new rules don’t define materiality for cyber risks, but an incident may cause multiple vectors of loss. The risk management program should address loss or corruption of data, malicious harm to servers, and loss of income due to a cyber event. Companies should also consider how they’d be protected under an insurance program if a cyber incident is suffered by a vendor or other third party.
- Consistently Accurate Information. Public reporting of cybersecurity governance and risk management strategy underscores the need for intra-company coordination during the underwriting process to ensure consistency and accuracy of information.
- Social Engineering. Despite the best security procedures, losses from phishing or similar scams still happen. Insurance programs should be carefully reviewed to cover this type of fraud.
- Coordinated Response. Many cyber insurance products dictate who will investigate and respond to an event. If the company has preferred vendors or a pre-existing team familiar with the company’s cybersecurity infrastructure, approval of such third parties should be addressed in the policy.
These are only examples of issues that will need to be coordinated as risk management programs are tailored. Underwriting sophisticated coverage programs likely will become more complex as the cyber insurance market matures to address changing regulatory environments.
Compliance with increasingly complex disclosure requirements and insurance policy obligations requires a considered risk management plan and timely advice from experienced counsel to maximize available benefits and reduce the impact of a cyber incident.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Jeremy King is a partner at Olshan Frome Wolosky. He concentrates his practice on insurance coverage actions and other civil litigation matters.
Write for Us: Author Guidelines
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.