Viewpoint: Cyber disclosure reset

Recently issued U.S. Securities and Exchange Commission cybersecurity rules requiring public companies to quickly disclose material cyber breaches will increase liability risks for directors and officers and could lead to narrower insurance coverage.

As we report here, under the new rules, companies must determine an incident’s materiality and file an Item 1.05 Form 8-K, generally within just four business days.

The information submitted must include the nature, scope and timing of the incident and its impact on an organization’s financial condition and operations. Companies must describe their processes for assessing, identifying and managing material risks from cybersecurity threats. They are also required to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in managing material risks from such threats. These disclosures must be included in annual reports starting Dec. 15.

These mandatory disclosure rules will have wide-ranging consequences. At the very least, compliance burdens will increase. Businesses will need to strengthen their cyber risk management plans and be prepared to assess whether their existing cybersecurity controls are adequate. They also need to review their internal processes around reporting cyber breaches and be ready to disclose material cybersecurity incidents in a very short time frame. Involving company boards and committees that are responsible for cybersecurity in these processes is critical.

Just how the changes will play out in insurance markets remains to be seen. Cyber liability accounts, which saw rates skyrocket following a rising number of ransomware attacks during the pandemic, have since seen rates stabilize. The average rate increase for cyber liability was 3.6% in the second quarter, according to a Council of Insurance Agents & Brokers survey. That was down from 8.4% in the first quarter and 26.8% in the prior year’s second quarter. Insurers also added capacity, as noted by 40% of respondents to the CIAB survey. Cyber controls have drawn greater scrutiny by insurers, and businesses have been more focused on mitigating losses, which may have contributed to the renewed interest in writing cyber liability coverage and less severe premium increases. 

Greater transparency around material cyberattacks and the risk controls deployed by companies overall could be beneficial as it will increase the amount of data available to insurers, helping them to assess and more accurately underwrite cyber risks. However, businesses will need to ensure the information they provide in their insurance applications matches the information they disclose in their SEC filings.

Meanwhile, public company directors and officers, many of whom have come under increased scrutiny for their handling of cybersecurity incidents in recent years, are more likely to be targeted by investor lawsuits. D&O liability rates continue to decrease, albeit at a more moderate pace, but this could change in response to a perceived increase in board-level risks. More coverage gaps could follow if insurers introduce additional cyber-related exclusions in D&O policies or D&O exclusions in cyber policies.

Risk managers tackling their next insurance renewals will need to ensure their organizations are prepared for the new regime and adequately protected when the next breach happens.