SEC Cyber Disclosure Prices Spotlight Position of D&O Insurance coverage to Mitigate Cyber Dangers
Following an investigation involving public firms probably impacted by the 2020 SolarWinds software program compromise, the US Securities and Change Fee just lately charged a number of firms with making materially deceptive disclosures relating to cybersecurity dangers and intrusions. The SEC’s enforcement is the newest instance of “cyber as a D&O danger,” underscoring the significance of sustaining sturdy administrators and officers (D&O) legal responsibility protection, together with cyber insurance coverage, as a part of a complete legal responsibility insurance coverage program designed to reply to cyber incidents.
Background
On October 22, 2024, the SEC charged 4 present and former public firms with making materially deceptive disclosures relating to cybersecurity dangers and intrusions associated to the 2020 SolarWinds Orion hack. The SEC particularly discovered that every firm realized in both 2020 or 2021 that the menace actor behind the SolarWinds Orion hack had accessed their programs with out authorization, however that the businesses negligently minimized the cybersecurity incident in public disclosures. The businesses did so, the SEC contends, by framing the related cybersecurity danger elements hypothetically or generically after they knew the warned of dangers had already materialized.
The SEC concluded that every firm had violated sure provisions of the Securities Act of 1933, the Securities Change Act of 1934 and associated guidelines. With out admitting or denying the SEC’s findings, every firm agreed to stop and desist from future violations of the cited provisions and to pay civil penalties starting from $990,000 to $4 million.
Dialogue
The latest SEC prices proceed the pattern of elevated federal scrutiny by the SEC, DOJ and FTC following cybersecurity incidents. Particular person administrators and officers may face private legal responsibility, as regulators have focused not simply firms, but additionally people, within the wake of main cyber assaults. In 2022, for instance, Uber’s former Chief Info Safety Officer was criminally prosecuted and convicted by the FTC for failing to reveal a knowledge breach throughout an ongoing investigation. Extra just lately, the SEC’s far-reaching case in opposition to SolarWinds and its CISO was largely truncated in a highly-anticipated ruling earlier this 12 months, however sure prices in opposition to the CISO have been allowed to proceed.
Cyber insurance coverage stays important for shielding all firms from the fallout of a cyber incident—no matter their specific business or commerce. However with the staggering value of cybersecurity occasions ($9.48 million on common within the US), cyber insurance coverage limits are sometimes rapidly eroded, if not exhausted completely, within the quick aftermath of a cyber occasion. These dangers, mixed with continued enhance in authorities investigations, enforcement actions and follow-on civil and prison claims in opposition to each firms and people, make complementary D&O protection much more important to fill any gaps and reply to conventional D&O exposures that will come up following a cybersecurity incident.
From constructing a complete cyber and D&O insurance coverage program to making sure that in-house cybersecurity professionals like CISOs don’t fall by way of the cracks in conventional insurance policies, we’ve beforehand outlined frequent pitfalls and greatest practices to contemplate in addressing these dangers. Being proactive and consulting with insurance coverage brokers, exterior protection counsel and different danger professionals on the time insurance policies are negotiated, renewed and positioned will help keep away from surprising denials and maximize the prospect of restoration within the occasion of a declare.