SEC Cyber Disclosure Costs Spotlight Function of D&O Insurance coverage to Mitigate Cyber Dangers

Following an investigation involving public corporations probably impacted by the 2020 SolarWinds software program compromise, the US Securities and Alternate Fee lately charged a number of corporations with making materially deceptive disclosures relating to cybersecurity dangers and intrusions. The SEC’s enforcement is the newest instance of “cyber as a D&O danger,” underscoring the significance of sustaining sturdy administrators and officers (D&O) legal responsibility protection, together with cyber insurance coverage, as a part of a complete legal responsibility insurance coverage program designed to reply to cyber incidents.

Background

On October 22, 2024, the SEC charged 4 present and former public corporations with making materially deceptive disclosures relating to cybersecurity dangers and intrusions associated to the 2020 SolarWinds Orion hack. The SEC particularly discovered that every firm realized in both 2020 or 2021 that the menace actor behind the SolarWinds Orion hack had accessed their techniques with out authorization, however that the businesses negligently minimized the cybersecurity incident in public disclosures. The businesses did so, the SEC contends, by framing the related cybersecurity danger elements hypothetically or generically once they knew the warned of dangers had already materialized.

The SEC concluded that every firm had violated sure provisions of the Securities Act of 1933, the Securities Alternate Act of 1934 and associated guidelines. With out admitting or denying the SEC’s findings, every firm agreed to stop and desist from future violations of the cited provisions and to pay civil penalties starting from $990,000 to $4 million.

Dialogue

The latest SEC fees proceed the development of elevated federal scrutiny by the SEC, DOJ and FTC following cybersecurity incidents. Particular person administrators and officers might also face private legal responsibility, as regulators have focused not simply corporations, but additionally people, within the wake of main cyber assaults. In 2022, for instance, Uber’s former Chief Info Safety Officer was criminally prosecuted and convicted by the FTC for failing to reveal a knowledge breach throughout an ongoing investigation. Extra lately, the SEC’s far-reaching case towards SolarWinds and its CISO was largely truncated in a highly-anticipated ruling earlier this 12 months, however sure fees towards the CISO had been allowed to proceed.

Cyber insurance coverage stays essential for shielding all corporations from the fallout of a cyber incident—no matter their specific trade or commerce. However with the staggering price of cybersecurity occasions ($9.48 million on common within the US), cyber insurance coverage limits are sometimes shortly eroded, if not exhausted solely, within the speedy aftermath of a cyber occasion. These dangers, mixed with continued enhance in authorities investigations, enforcement actions and follow-on civil and legal claims towards each corporations and people, make complementary D&O protection much more essential to fill any gaps and reply to conventional D&O exposures which will come up following a cybersecurity incident.

From constructing a complete cyber and D&O insurance coverage program to making sure that in-house cybersecurity professionals like CISOs don’t fall by the cracks in conventional insurance policies, we’ve got beforehand outlined widespread pitfalls and finest practices to contemplate in addressing these dangers. Being proactive and consulting with insurance coverage brokers, exterior protection counsel and different danger professionals on the time insurance policies are negotiated, renewed and positioned can assist keep away from surprising denials and maximize the prospect of restoration within the occasion of a declare.