The U.S. Securities and Exchange Commission in July adopted rules that require public companies to disclose certain information about their cyber risk.
The rules, originally proposed in March 2022, not only require disclosure within four days of any cybersecurity incident a public company believes is material in nature, scope, timing, and impact, but the rules also require public companies to describe their process for assessing, identifying, and managing cyber risk, as well as the likely effects of a cyber incident on their company. This also means that companies will be required to describe their board of directors’ and management’s role in overseeing cyber risks.
Compliance is required for most public companies beginning in December of this year, which has left many companies and their insurers wondering what the effect will be on the cyber and D&O landscape.
“I think the new rule in theory will help cyber insurers have a better understanding and insight into some of their book in the sense of how they are proactively managing the two parts of the rule,” said Bob Wice, head of underwriting management for Beazley’s global cyber risks division, on this episode of The Insuring Cyber Podcast.
The rule, which includes a requirement to report a cyber incident when it occurs as well as overall disclosures of public companies’ cyber risk management practices, will likely increase transparency and lead companies to focus even more on managing their cyber risk, Wice added.
“Ultimately, the goal here is to not have a claim,” he said. “You could argue that there might be less volatility as more organizations really do focus in on cyber risk management to avoid having to report an incident down the road. So ultimately, I think that is the goal is to have more transparency when the bad things happen, but obviously to avoid those bad days, which could level out the playing field for cyber insurers.”
However, for D&O insurers, Jim Rizzo, product leader for US D&O and executive risks at Beazley, predicts potential volatility in the form of litigation.
“I foresee underwriters sounding a little bit more like cyber underwriters in their meetings with the types of questions that we have to ask to get a better foundation and understanding of how our insureds are prepared both pre- and post-event,” he said, adding that companies could likely be scrutinized for their pre-event posture, their post-event disclosures, as well as the handling of the event itself. “All of these critiques will come from the benefit of hindsight, which can result in material litigation expense for our insureds as well as the carriers.”
The best way to avoid these extra expenses, he said, is to be prepared, engage experts, and examine the company’s suite of products to ensure there aren’t any coverage gaps.
“Hopefully, this will improve the overall cyber posture and risk management practices of our clients,” he said.
Regarding cyber coverage, Greg Van Houten, insurance recovery attorney at Haynes and Boone, said it’s important for policyholders to make sure that their insurance application matches what they disclose regarding their cyber practices in compliance with the new SEC rules as insurers will likely be reviewing those disclosures as well.
“In the event of a cybersecurity incident, insurers will now review policyholders’ publicly available cybersecurity risk management and government practices and procedures … and they may deny coverage if the insured’s actual cybersecurity practices and procedures are inconsistent with what they disclosed in their [insurance] application,” he said.
This means that it’s important for policyholders to make sure their insurance broker assists them in ensuring consistency across both their insurance application and their cyber risk management disclosures.
“I think companies need to consider bringing their cyber insurer under the tent with respect to the disclosure required by the new SEC rules,” he said. “And I know companies are going to hesitate to bring in another actor in addition to lawyers, crisis response experts, IT experts, public relations and the like, but you have to consider the insurer if you want to preserve coverage.”
He said ultimately, the SEC rules will likely contribute to companies becoming more sophisticated regarding awareness and prevention of cyber issues as they focus on developing more policies and devoting more resources to prevention.
“You’d expect less claims the more companies are doing to prevent attacks,” he said. “And also the SEC’s new rules are designed to ensure that companies are not as vulnerable to cyber attacks. Now, preventing cyber attacks will be top of mind.”
Check out the rest of the episode to hear what else Bob, Jim and Greg had to say, and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening!