As companies continue to transition to digital technologies to conduct their operations, cyber-related risk exposures and the severity of cyber-related incidents continue to increase. For public companies, this has translated into an interesting evolution in the disclosure of cyber-related governance, risk and incidents. 

The evolution of disclosure

Public companies listed on a U.S. exchange have an ongoing obligation to disclose information that would be material to an investor’s investment decision. For U.S. domestic issuers, the two disclosure documents that provide the best window into a company’s financial performance, material risks, and corporate governance structure, including its risk management strategy, are its annual report on form 10-K and the proxy statement for its annual meeting of shareholders.

Take Microsoft Corp., for example. In its 10-K filed in 2010, it bundled the risk of a major cyberattack within its discussion of other catastrophic risks, such as a major earthquake, weather event or terrorist attack. Those risks took up about half a page. That same year, Microsoft’s governance-related risk oversight discussion didn’t mention cybersecurity. Note that Microsoft wasn’t alone in how it approached cyber-related disclosure at that time.

Fast forward to Microsoft’s most recent filings: cybersecurity risk, data privacy and platform abuse risks take up over four pages of its risk disclosure. Microsoft also provides robust disclosure regarding how its board and management team exercises oversight of cybersecurity risk.

This approach has become commonplace. Notably, some companies have started to reference cyber liability insurance in their risk discussions. A common formulation looks like this: 

“Although we currently maintain errors, omissions, and cyber liability insurance policies covering security and privacy damages, this insurance is limited in scope and subject to exceptions, conditions and coverage limitations and may not cover any or even a substantial portion of the costs associated with any compromise of our information systems or confidential information. In addition, we cannot be certain that the insurance we currently maintain will continue to be available to us at rates we believe are commercially reasonable.”

How did we get from minor references to cyber risk to several pages worth of related disclosure? Four events stick out in my mind. 

The first is guidance that the U.S. Securities and Exchange Commission issued in 2011 that expressed the regulator’s views regarding disclosure obligations related to cybersecurity risks and incidents. 

The second is a combination of large data breaches, including a 2013 attack at Yahoo Inc. and a 2017 breach at Equifax Inc. — the credit bureau carried a $125 million cyber liability insurance policy at the time of the breach and to date the breach has cost the company approximately $2 billion. It was around this time that more companies began to mention cyber liability insurance in their filings.

The third event was the SEC’s 2018 update of its 2011 guidance. While the SEC provided more color around disclosure, including specifically making a reference to insurance, the fact that it was just guidance led to varying approaches to disclosure. 

Lastly, not satisfied with the state of cyber-related disclosures, in March 2022 the SEC issued proposed rules that would require cybersecurity risk management, strategy, governance and incident disclosure by public companies.

Why disclosure matters

From an investor perspective, robust company disclosure regarding exposure to cybersecurity threats and how those threats are managed by the company strengthens investors’ ability to make informed investment decisions. 

Securities fraud lawsuits have been brought against some companies that have suffered cyber breaches. Plaintiffs have alleged that companies concealed known risks or vulnerabilities, and in some instances they have brought actions against boards and managements for alleged failure to carry out their oversight duties of material risks — cyber risk being a material risk that seems to permeate across industries. From a company perspective, robust company disclosure in this area, along with strong related governance practices and risk management strategies, can help provide a basis for companies to defend themselves against these types of lawsuits. 

Another reason this type of disclosure matters is that it requires that a company goes through the exercise of assessing its exposure to risk, related processes and benchmarking against peers. Benefits from this exercise include improved disclosure and improved cyber-related risk management and governance processes.

What’s next?

Some public companies have already reacted to the SEC’s proposed cybersecurity disclosure rules by improving cyber-related disclosure, reassessing management and board expertise and improving governance and/or risk management controls. Those of us in the insurance and risk management industry expect cyber-related disclosure to change in three ways.

1. Increased disclosure of cyber risks and incidents: Disclosure around cyber risks and incidents will become more detailed and specific, as investors and regulators like the SEC demand more transparency and accountability. The SEC’s proposed rules have accelerated the move for some companies and given others a road map on how to improve. As an example of the latter, Hanesbrands Inc. publicly reported that it had become subject to a ransomware attack in May 2022. Its disclosure generally tracked with what was prescribed in the SEC’s proposed cybersecurity disclosure rules that were issued a few months earlier. 

2. Greater detail on cyber risk management: Companies will disclose more information about their cyber risk management practices. Notably, the SEC’s proposed rules require companies to disclose whether they have any directors with cybersecurity expertise. For those boards that do not have directors with cyber expertise, we should expect to see more discussion about how the board is briefed, educated and advised on this topic. We should also expect to see more cybersecurity experts promoted to or recruited into the C-suite as chief information security officers. 

3. Increased disclosure about insurance coverage: While many companies have already started to incorporate general disclosure of cyber liability insurance in their discussion of cyber risks, we should expect to see this continue, especially as coverage limitations and exclusions in cyber liability insurance policies may pose their own risks. However, we should not expect — nor is it a particularly good idea — companies to be overly disclosive about the details of their cyber liability insurance programs, including the actual limits they are purchasing. No one wants to see this otherwise good disclosure turn into a target for bad actors.

Outlook

As disclosure in this area continues to expand, so will the breadth of information available to investors, regulators, plaintiffs attorneys and those of us in the risk management and insurance industry. This should allow us to better assess a company’s overall risk profile to improve cybersecurity risk mitigation strategies and develop bespoke cyber liability insurance programs.

Lenin Lopez is a corporate securities attorney at Woodruff Sawyer & Co. in San Francisco. He can be reached at llopez@woodruffsawyer.com.