SEC Cyber Disclosure Expenses Spotlight Position of D&O Insurance coverage to Mitigate Cyber Dangers

Following an investigation involving public corporations probably impacted by the 2020 SolarWinds software program compromise, the US Securities and Change Fee just lately charged a number of corporations with making materially deceptive disclosures relating to cybersecurity dangers and intrusions. The SEC’s enforcement is the most recent instance of “cyber as a D&O threat,” underscoring the significance of sustaining strong administrators and officers (D&O) legal responsibility protection, together with cyber insurance coverage, as a part of a complete legal responsibility insurance coverage program designed to answer cyber incidents.

Background

On October 22, 2024, the SEC charged 4 present and former public corporations with making materially deceptive disclosures relating to cybersecurity dangers and intrusions associated to the 2020 SolarWinds Orion hack. The SEC particularly discovered that every firm realized in both 2020 or 2021 that the menace actor behind the SolarWinds Orion hack had accessed their methods with out authorization, however that the businesses negligently minimized the cybersecurity incident in public disclosures. The businesses did so, the SEC contends, by framing the related cybersecurity threat components hypothetically or generically after they knew the warned of dangers had already materialized.

The SEC concluded that every firm had violated sure provisions of the Securities Act of 1933, the Securities Change Act of 1934 and associated guidelines. With out admitting or denying the SEC’s findings, every firm agreed to stop and desist from future violations of the cited provisions and to pay civil penalties starting from $990,000 to $4 million.

Dialogue

The latest SEC prices proceed the pattern of elevated federal scrutiny by the SEC, DOJ and FTC following cybersecurity incidents. Particular person administrators and officers may face private legal responsibility, as regulators have focused not simply corporations, but in addition people, within the wake of main cyber assaults. In 2022, for instance, Uber’s former Chief Data Safety Officer was criminally prosecuted and convicted by the FTC for failing to reveal a knowledge breach throughout an ongoing investigation. Extra just lately, the SEC’s far-reaching case towards SolarWinds and its CISO was largely truncated in a highly-anticipated ruling earlier this yr, however sure prices towards the CISO have been allowed to proceed.

Cyber insurance coverage stays crucial for safeguarding all corporations from the fallout of a cyber incident—no matter their specific business or commerce. However with the staggering value of cybersecurity occasions ($9.48 million on common within the US), cyber insurance coverage limits are sometimes shortly eroded, if not exhausted fully, within the rapid aftermath of a cyber occasion. These dangers, mixed with continued enhance in authorities investigations, enforcement actions and follow-on civil and prison claims towards each corporations and people, make complementary D&O protection much more crucial to fill any gaps and reply to conventional D&O exposures which will come up following a cybersecurity incident.

From constructing a complete cyber and D&O insurance coverage program to making sure that in-house cybersecurity professionals like CISOs don’t fall by way of the cracks in conventional insurance policies, now we have beforehand outlined widespread pitfalls and finest practices to contemplate in addressing these dangers. Being proactive and consulting with insurance coverage brokers, exterior protection counsel and different threat professionals on the time insurance policies are negotiated, renewed and positioned may help keep away from surprising denials and maximize the prospect of restoration within the occasion of a declare.