SEC Cyber Disclosure Prices Spotlight Position of D&O Insurance coverage to Mitigate Cyber Dangers

Following an investigation involving public firms probably impacted by the 2020 SolarWinds software program compromise, the US Securities and Alternate Fee just lately charged a number of firms with making materially deceptive disclosures concerning cybersecurity dangers and intrusions. The SEC’s enforcement is the most recent instance of “cyber as a D&O danger,” underscoring the significance of sustaining strong administrators and officers (D&O) legal responsibility protection, together with cyber insurance coverage, as a part of a complete legal responsibility insurance coverage program designed to answer cyber incidents.

Background

On October 22, 2024, the SEC charged 4 present and former public firms with making materially deceptive disclosures concerning cybersecurity dangers and intrusions associated to the 2020 SolarWinds Orion hack. The SEC particularly discovered that every firm discovered in both 2020 or 2021 that the risk actor behind the SolarWinds Orion hack had accessed their methods with out authorization, however that the businesses negligently minimized the cybersecurity incident in public disclosures. The businesses did so, the SEC contends, by framing the related cybersecurity danger elements hypothetically or generically after they knew the warned of dangers had already materialized.

The SEC concluded that every firm had violated sure provisions of the Securities Act of 1933, the Securities Alternate Act of 1934 and associated guidelines. With out admitting or denying the SEC’s findings, every firm agreed to stop and desist from future violations of the cited provisions and to pay civil penalties starting from $990,000 to $4 million.

Dialogue

The latest SEC expenses proceed the development of elevated federal scrutiny by the SEC, DOJ and FTC following cybersecurity incidents. Particular person administrators and officers may additionally face private legal responsibility, as regulators have focused not simply firms, but additionally people, within the wake of main cyber assaults. In 2022, for instance, Uber’s former Chief Data Safety Officer was criminally prosecuted and convicted by the FTC for failing to reveal an information breach throughout an ongoing investigation. Extra just lately, the SEC’s far-reaching case towards SolarWinds and its CISO was largely truncated in a highly-anticipated ruling earlier this 12 months, however sure expenses towards the CISO have been allowed to proceed.

Cyber insurance coverage stays vital for shielding all firms from the fallout of a cyber incident—no matter their explicit trade or commerce. However with the staggering price of cybersecurity occasions ($9.48 million on common within the US), cyber insurance coverage limits are sometimes rapidly eroded, if not exhausted solely, within the quick aftermath of a cyber occasion. These dangers, mixed with continued improve in authorities investigations, enforcement actions and follow-on civil and legal claims towards each firms and people, make complementary D&O protection much more vital to fill any gaps and reply to conventional D&O exposures which will come up following a cybersecurity incident.

From constructing a complete cyber and D&O insurance coverage program to making sure that in-house cybersecurity professionals like CISOs don’t fall by the cracks in conventional insurance policies, we’ve got beforehand outlined frequent pitfalls and greatest practices to contemplate in addressing these dangers. Being proactive and consulting with insurance coverage brokers, outdoors protection counsel and different danger professionals on the time insurance policies are negotiated, renewed and positioned can assist keep away from surprising denials and maximize the prospect of restoration within the occasion of a declare.