On July 26, 2023, the SEC adopted final rules regarding mandated disclosures of cybersecurity incidents for public companies (registrants) that are subject to the reporting requirements of the Securities Exchange Act of 1934. The rules are effective as of September 5, 2023, and require public disclosure of a cybersecurity incident. Consequently, companies will need to update their corporate governance with respect to incident response plans and the board of directors’ oversight of cybersecurity risks. Companies also will need to review their D&O policies and any other relevant insurance policies.
The focus of the disclosure rule is “materiality”—a term not defined in the rule. In issuing its guidance however, the SEC stated that the “materiality” standard would be consistent with the standard established through the
securities laws and interpretive case law, i.e., “information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the ‘total mix’ of information available.’ “Doubts as to the critical nature of the relevant information should be resolved in favor of those the statute is designed to protect, namely investors.” [Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure p.14 (citations omitted)].
Adoption of these rules was not without controversy and criticism. For example:
For the 10-K and Form 20-F disclosures, disclosures will be due with annual reports for fiscal years ending on or after December 15, 2023. For Form
8-K and Form 6-K disclosures, the disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register, or December 18, 2023. Smaller companies have an additional 180 days to comply.
Both Insurers and Insureds will be affected by the new rules. Insurers will need to conduct a more comprehensive review of a company’s corporate governance related to these issues and price accordingly. For companies that are minimally compliant or non-compliant, there may be limited markets willing to underwrite to them.
From a liability perspective, it is likely that companies will face a greater likelihood of derivative and securities cases related to disclosure failures on the new rules.
Companies should expect continued increases in Book & Record Demands over governance issues. Lawsuits over “materiality” will increase as will securities suits involving breach of fiduciary duty claims and securities violations involving false and misleading statements by commission or omission. Boards and management will be exposed to duty of oversight suits and, possibly, increased third-party risk.
It is also likely that new rules will increase investigation oversight by the SEC. While individual targets of investigations have broad coverage under most D&O policies, there is great debate and wide variance in the policies with respect to coverage for the Entity as it relates to formal investigations. Companies should decide how they want their D&O policy to respond to this balance sheet risk and to what extent. Policies vary significantly, but options for coverage include:
Understanding your policy and the coverage available to you could materially impact the balance sheet protection you have when facing these formal investigations.
The information, analyses, opinions and/or recommendations contained herein relating to the impact or the potential impact of coronavirus/COVID-19 on insurance coverage or any insurance policy is not a legal opinion, warranty or guarantee, and should not be relied upon as such. This communication is intended for informational use only. Given the on-going and constantly changing situation with respect to the coronavirus/COVID-19 pandemic, this communication does not necessarily reflect the latest information regarding recently-enacted, pending or proposed legislation or guidance that could override, alter or otherwise affect existing insurance coverage.
This communication is intended for informational use only. As insurance agents or brokers, we do not have the authority to render legal advice or to make coverage decisions, and you should submit all claims to your insurance carrier for evaluation. At your discretion, please consult with an attorney at your own expense for specific advice in this regard.
This bulletin is provided for informational purposes only. McGriff is not providing legal advice and recommends you consult with your own counsel for legal guidance/opinion. The information, analyses, opinions and/or recommendations contained herein relating to the impact or the potential impact of coronavirus/COVID-19 on insurance coverage or any insurance policy is not a legal opinion, warranty or guarantee, and should not be relied upon as such. This communication is intended for informational use only. As insurance agents or brokers, we do not have the authority to render legal advice or to make coverage decisions, and you should submit all claims to your insurance carrier for evaluation. Given the on-going and constantly changing situation with respect to the coronavirus/COVID-19 pandemic, this communication does not necessarily reflect the latest information regarding recently-enacted, pending or proposed legislation or guidance that could override, alter or otherwise affect existing insurance coverage. At your discretion, please consult with an attorney at your own expense for specific advice in this regard.