It’s possible neither your D&O insurance nor your cybersecurity coverage will provide protection if shareholders, armed with insight from your company’s disclosures under the Securities and Exchange Commission’s new cyber rule, sue after a breach, insurance specialists say.
The plaintiffs’ bar sees the SEC’s cybersecurity disclosure rule, published earlier this month, as a roadmap for shareholder lawsuits against company leadership if there’s a security incident, the specialists say.
In its two headline features, the rule requires disclosure of a breach four days after the company decides it was material and periodic disclosures on what the company is doing to stay secure.
In this new environment, in addition to wrestling with the aftermath of a breach, the company’s leadership will now have to contend with the increased likelihood of shareholders filing a duty of care claim if the company’s posture doesn’t match up with what it disclosed to the SEC.
“The plaintiff bar is drooling,” Kelly Geary of EPIC Insurance Brokers & Consultants, told Bloomberg Law. “They’re like, ‘when does this go into effect?’”
“Any time you have more disclosure you’ll have plaintiffs scrubbing, looking for more claims,” Noelle Reed of Skadden, Arps, Slate, Meagher & Flom said in a Professional Liability Underwriting Society conference shortly after the SEC rule was proposed, Insurance Journal reported.
It will vary by policy if the company’s cybersecurity coverage or its D&O insurance, which covers directors and officers for errors and omissions, will provide protection if SEC disclosures are used as grounds for a claim. But the SEC’s rule is likely to make insurance carriers take a new look at what they will and won’t cover.
“Public companies may soon find themselves in the ‘worst of both worlds,’ where neither cyber nor D&O policies pay for legal bills over SEC investigations and investor lawsuits,” Steven Weisman of McCarter & English said in the Bloomberg Law report.
Many companies can expect to find their D&O policies have exclusions for cyber-related incidents and at the same time their cyber policies have D&O-related exclusions, Arturo Perez-Reyes, senior vice president and cyber strategist at Newfront Insurance, said in a Business Insurance report.
“There’s been a hole that’s opening up between cyber and D&O policies, and this will widen the gap,” he said.
At the same time, many cyber policies already exclude violations related to securities laws, so a policy that would cover a breach might not provide coverage if shareholders sue on the basis of the SEC disclosure.
“Some policies contain exclusions relating to the violations of various securities laws,” a WTW analysis says.
That makes the SEC rule especially an issue for companies, Weisman said.
“Some cyber policies cover fines and penalties from the FCC, the FTC, and state regulatory agencies, but not the SEC,” he said.
In this new environment, general counsel will want to look carefully at their company’s policies when they come up for renewal, because insurers are likely going to add exclusions if they don’t already have them or hike premiums to cover a case in which shareholders use the SEC disclosures to go after company leadership.
“It may be necessary to amend such exclusion so as not to apply to this regulation,” the WTW analysis says.
“There may be an incentive for D&O insurers to not want to insure that risk or to only insure that risk for additional premiums, so we might start to see more cyber exclusions,” David Cummings of Reed Smith said in the Bloomberg report.
Companies have already seen a 100% increase in cyber insurance premiums since just 2019, according to Upguard.
“The costs of premiums have shot up,” the company reports, “rising almost 100% between 2019 and 2022, largely due to the increasing threat from ransomware.”