Cybersecurity continues to represent a significant potential source of executive liability (D&O) risk. As Environmental, Social, and Governance (“ESG”) considerations continue to move to the forefront of organizations’ current and future risks, regulators and investors increasingly view cyber related risk as their top issue in the “G” pillar of ESG. This focus has led to increased regulatory scrutiny and governance requirements being weighed and implemented both in the U.S. and globally. The velocity of this exposure will only increase in the coming years.
On the regulatory front, on March 9, 2022, the SEC adopted proposed rules aimed at enhancing disclosures made by public companies regarding their cybersecurity risk management, governance and incident reporting. The proposed rules follow cybersecurity reporting guidance that the Commission previously issued in 2011 and 2018 and center on increased disclosures regarding two key elements: (1) governance and oversight of cyber risk and (2) material cybersecurity incidents.
In addition, companies must consider potential shareholder litigation arising from a cyber event, reflecting the shifting “event-driven” securities litigation landscape. Further, recent Delaware court decisions suggest a growing legal scrutiny regarding board of directors’ oversight responsibilities that could have important implications for directors’ duties involving cyber related risks.
The Proposed SEC Rules
Prior to the proposed rules, the SEC had already brought recent several enforcement actions against companies based upon cyber risk related disclosure issues. If adopted, the proposed rules would significantly expand public companies’ cyber risk disclosure obligations relating to cyber incidents and governance and oversight.
Disclosure of Material CyberSecurity Incidents
The proposed rules would require SEC registrants to file a form 8-K disclosing certain information about a cybersecurity incident within four business days after the organization determines it has experienced a material cybersecurity incident including: when the incident was discovered and whether it is ongoing; a brief description of the nature and scope of the incident; whether any data was stolen, altered, accessed, or used for any other unauthorized purpose; the effect of the incident on the registrant’s operations; and whether the registrant has remediated or is currently remediating the incident.
In addition, the proposed rules would require that companies disclose any material changes, additions or updates to information disclosed in a prior 8-K filing regarding a cybersecurity incident in its 10-Q or 10-K filings. For example, the proposed rules would require companies to provide updates on any material current and potential future impact of the incident on the company’s operations and financial condition. In addition, the proposal requires reporting of individually immaterial cybersecurity incidents that become material in the aggregate.
Disclosure of CyberSecurity Related Risk Management, Strategy and Governance
Finally, the proposed rules would require that companies disclose information regarding cybersecurity oversight and governance. The proposed rules would require companies to disclose policies and procedures to identify and manage cybersecurity risks. In addition, the proposed rules would require disclosure of cybersecurity related governance including: the board’s oversight of cybersecurity risks, information regarding the board’s cybersecurity expertise, a description of management’s role in assessing and managing cybersecurity risks and the relevant expertise of management and its role in implementing the company’s cybersecurity policies, procedures and strategies.
The newly released rules are in proposal phase and could change from their current form or fail to be implemented entirely. Regardless, the earlier enforcement actions and ongoing commentary by current Commissioners show that cyber risk sits at the top of the Commission’s priorities.
Event-Driven and “Caremark” Liability
Early cyber-related securities actions were brought as derivative actions and largely unsuccessful. However, in recent years there have been at least twenty federal securities class actions filed after cybersecurity or privacy incidents. Unlike many of the early actions, a drop in share price followed disclosure of the incident. While companies have succeeded in obtaining dismissals in some of these cases, a few have resulted in significant settlements, motivating the plaintiffs’ bar to continue to file these actions in the event a share price loss follows a major cyber incident.
In addition, Delaware courts have recently issued several decisions regarding board of directors’ oversight responsibilities that suggest a growing legal scrutiny of board oversight and could have important implications for directors’ duties involving oversight of cybersecurity. These cases found that cases alleging failure of oversight can proceed if shareholders can establish that a board failed to establish reporting requirements or respond to red flags with respect to “mission critical” regulatory risks. With the severity of recent cybersecurity and privacy events and proliferation of privacy related regulations in various jurisdictions worldwide, cybersecurity and privacy are also now “mission critical” to many companies’ business operations.
The implications of this evolving regulatory and litigation landscape are many but two rise to the forefront: (1) the importance of determining what constitutes materiality for an organization and (2) the emergence of cybersecurity as the primary concern in the “G” of ESG and correlated importance of oversight. As cyber risk governance issues continue to gain importance to regulators and investors, it will be critical for companies to understand the potential impacts of cyber risks on their results of operations or financial condition and connect cyber risk to the organization’s overall business strategy.
The SEC’s proposed rules require organizations to understand what constitutes a material cyber incident within a very short four business days. While an organization can conduct such assessment after a cybersecurity incident occurs, it can take weeks, months or even years to determine the full impact of an incident. In order to prepare for the potential new SEC rules, it is imperative that organizations determine the potential financial impacts of cyber risks and the materiality of such events before an incident occurs. Advanced assessment, quantification and understanding of potential cyber losses will be crucial to compliance with the new SEC rules. Such quantification will allow organizations to understand the potential impact of such events in financial terms, and thus the point at which such losses become material to the organization – i.e. does a one- in 20 year, one-in 50 year or one-in 100 year data breach exceed my organization’s materiality threshold? In the event an organization is impacted by a cybersecurity event, leadership will then be able to relatively quickly assess the potential implications to the business and potential financial losses in order to determine whether such an event meets the reporting requirements of the new proposed SEC rules.
Finally, to avoid executive liability exposure, it is critical to demonstrate oversight of “mission critical risks.” Organizations should undertake advanced financial assessment and quantification of risk as both a diligence mechanism as well as to provide line of sight as to the degree of risk in a manner that is defensible. Further, it is increasingly important that organizations contemplate such risks into their risk capital decisions, particularly with respect to Side A D&O insurance programs.