Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Feds outline broad cyber disclosures

Reprints
SEC cyber

Proposed U.S. Securities and Exchange Commission cybersecurity rules would provide some much-needed standardization for companies seeking to determine how much and when to reveal cyber-related intrusions to their investors, experts say.

It is unclear what impact the rules would have on cyber or directors and officers liability rates.

Also, some contend that a provision in the proposed rules that states companies must reveal cyber events within four business days of learning of a “material” incident is unduly vague and as it stands would be difficult to comply with (see related story below).

In addition to reporting incidents, the proposal would require publicly held companies to disclose their cybersecurity policies and report on their board’s cybersecurity expertise, among other provisions. 

In issuing the proposal, SEC Chair Gary Gensler said in a statement that companies and investors would benefit if cybersecurity information “were required in a consistent, comparable, and decision-useful manner.”

The proposed cybersecurity rules join other recent SEC proposals focusing on special purpose acquisition companies and disclosure of climate-related risks, among others. 

“There was a certain air of inevitability” to the cyber proposal, said Kevin LaCroix, executive vice president in Beachwood, Ohio, for RT ProExec, a division of R-T Specialty LLC. It had been more than 10 years since the agency first addressed the issue, he said.

The SEC’s Division of Corporation Finance issued interpretive guidance concerning cybersecurity obligations in 2011, then issued additional guidance to reinforce and expand upon it in 2018.

Shannon Groeber, New York-based executive vice president of CFC Underwriting Ltd., said, “We like to see a step toward more prescriptive guidance” as to what companies should be disclosing.

Compliance with the proposal would be somewhat onerous, however, said Andrew Doherty, New York-based national executive and professional risk solutions practice leader for USI Insurance Services LLC.

“Companies will have to revisit their rules and governance structure” and look at their board’s cybersecurity experience, he said. “It puts this issue, certainly, closer to the top of the risk issues for all public companies, not just technology companies or financial institutions, which probably have the most exposures.”

Ms. Groeber described the proposed requirement to report the board’s cybersecurity expertise as positive. It elevates recognition of the issue to the board level, a direction in which some companies have already moved, she said. 

Experts say publicly held companies’ readiness for the proposal varies. 

Some companies are probably making these disclosures already, even if they are not necessarily doing so in their SEC filings or in the exact form the agency may ultimately require, said Matthew McLellan, Washington-based managing director and D&O product leader for Marsh LLC.

There are companies that have been “investing in cyber security for a long time,” and large financial institutions are likely to be ready as well as other large, publicly held companies, said Joshua Gold, a shareholder with Anderson Kill P.C. in New York. 

But other companies might not “fully appreciate how bad the risk environment is right now” and have not made it a top priority, he said.

Observers say the regulation could have implications for both cyber and D&O policies, although these are difficult to determine at this point. 

“Cyber insurance in particular is in a constant state of evolution, so it’ll be interesting to see how insurers adjust their language” in response to the proposed rules, said policyholder attorney James S. Carter, a partner with BlankRome LLP in Washington. 

Its effect on the cyber market remains to be seen, as the proposal adds more complexity to information sharing, Ms. Groeber said. 

“If we discover large numbers of companies are not complying, it puts them at risk of being subject to further restrictions of capacity or coverage terms, but it also provides a baseline measure to make sure they’re being protected,” she said.

Ms. Groeber added that “there could be a very short knee-jerk reaction” in the market while the proposed controls are implemented. 

D&O insurers have concerns about covering cyber claims, particularly regarding their obligation to provide coverage for investigatory and regulatory expenses, Mr. Gold said. “I think we’ll see more fights, and probably tougher fights,” on this issue.

Meanwhile, there is a fear that the proposed rules would “create sort of a roadmap” for plaintiffs attorneys, who will look at what companies have said about board oversight, seize on subsequent incidents and charge that the board either made misrepresentations or was not fulfilling its oversight obligations, Mr. LaCroix said.



Ambiguity in proposed rules raises concerns 

Although the final wording of the U.S. Securities and Exchange Commission’s proposed cybersecurity rules has not been determined, a provision that would require publicly traded companies to disclose information about “material” cybersecurity incidents within four business days has some experts worried.

For starters, the term “material” is ambiguous, they say. 

“It’s not really clear what is definitively material versus what is not,” aside from situations such as when ransomware shuts a company down and its data is exfiltrated, said Tara Bodden, general counsel and head of claims at insurtech At-Bay Inc. in San Francisco. 

“There’s not a lot of runway when you demand an organization tell you whether or not an incident was material,” which can take several weeks or even months to determine, said John Farley, New York-based managing director of Arthur J. Gallagher & Co.’s cyber liability practice. “This is a really tough mandate to meet,” he said.

Robert Rosenzweig, New York-based national cyber risk practice leader and commercial New York metro regional leader at Risk Strategies Co., said, “Beyond the ability to respond in that timely a fashion, there certainly is an argument for many reasons as to why going public with something that quickly could have ramifications” on the business and the investigation, particularly if the attack is still ongoing. 

Mr. Farley said the proposal would also require reporting if there were a series of undisclosed incidents that were not necessarily material individually but become so in the aggregate. How does a company determine when that is the case? he asked.

“There will be those gray areas that need to be sorted out,” he said.