SEC Cyber Disclosure Costs Spotlight Function of D&O Insurance coverage to Mitigate Cyber Dangers
Following an investigation involving public firms probably impacted by the 2020 SolarWinds software program compromise, the US Securities and Change Fee lately charged a number of firms with making materially deceptive disclosures concerning cybersecurity dangers and intrusions. The SEC’s enforcement is the most recent instance of “cyber as a D&O danger,” underscoring the significance of sustaining strong administrators and officers (D&O) legal responsibility protection, together with cyber insurance coverage, as a part of a complete legal responsibility insurance coverage program designed to reply to cyber incidents.
Background
On October 22, 2024, the SEC charged 4 present and former public firms with making materially deceptive disclosures concerning cybersecurity dangers and intrusions associated to the 2020 SolarWinds Orion hack. The SEC particularly discovered that every firm realized in both 2020 or 2021 that the risk actor behind the SolarWinds Orion hack had accessed their methods with out authorization, however that the businesses negligently minimized the cybersecurity incident in public disclosures. The businesses did so, the SEC contends, by framing the related cybersecurity danger elements hypothetically or generically once they knew the warned of dangers had already materialized.
The SEC concluded that every firm had violated sure provisions of the Securities Act of 1933, the Securities Change Act of 1934 and associated guidelines. With out admitting or denying the SEC’s findings, every firm agreed to stop and desist from future violations of the cited provisions and to pay civil penalties starting from $990,000 to $4 million.
Dialogue
The latest SEC fees proceed the pattern of elevated federal scrutiny by the SEC, DOJ and FTC following cybersecurity incidents. Particular person administrators and officers may face private legal responsibility, as regulators have focused not simply firms, but additionally people, within the wake of main cyber assaults. In 2022, for instance, Uber’s former Chief Info Safety Officer was criminally prosecuted and convicted by the FTC for failing to reveal an information breach throughout an ongoing investigation. Extra lately, the SEC’s far-reaching case in opposition to SolarWinds and its CISO was largely truncated in a highly-anticipated ruling earlier this 12 months, however sure fees in opposition to the CISO had been allowed to proceed.
Cyber insurance coverage stays crucial for safeguarding all firms from the fallout of a cyber incident—no matter their explicit business or commerce. However with the staggering value of cybersecurity occasions ($9.48 million on common within the US), cyber insurance coverage limits are sometimes shortly eroded, if not exhausted totally, within the instant aftermath of a cyber occasion. These dangers, mixed with continued improve in authorities investigations, enforcement actions and follow-on civil and prison claims in opposition to each firms and people, make complementary D&O protection much more crucial to fill any gaps and reply to conventional D&O exposures that will come up following a cybersecurity incident.
From constructing a complete cyber and D&O insurance coverage program to making sure that in-house cybersecurity professionals like CISOs don’t fall via the cracks in conventional insurance policies, we have now beforehand outlined frequent pitfalls and finest practices to think about in addressing these dangers. Being proactive and consulting with insurance coverage brokers, exterior protection counsel and different danger professionals on the time insurance policies are negotiated, renewed and positioned may also help keep away from sudden denials and maximize the possibility of restoration within the occasion of a declare.
