SEC Cybersecurity Guidance: Is Your D&O Program Prepared to Respond?

The Securities and Exchange Commission has made cyber-based threats a priority. In September, under new leadership, it announced the creation of a Cyber Unit to target cyber-related misconduct. And last month, it released interpretive guidance that helps clarify the cybersecurity risk disclosure obligations of public companies.

With the release of the guidance, there’s likely to be an uptick in regulatory investigations and civil claims arising out of purported breaches of the SEC’s recommendations. And your directors and officers (D&O) liability program could play a key role in protecting your company and senior leaders.

A Call for Transparency

The SEC had previously issued guidance, in 2011, on public company cybersecurity disclosure obligations. But it did not include any clear, enforceable rules for public companies to follow.

The SEC’s new guidance still does not include specific rules, but it expands on the earlier guidance and provides more detail about the agency’s expectation that companies “disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.”

The new guidance adds up to a call for transparency. It encourages companies to adopt policies to prevent insiders from trading on information about a cybersecurity incident before it is made public. And it says they should inform investors of the role their corporate boards play in overseeing cybersecurity risk management.

The SEC’s guidance also:

• Directs public companies to consider disclosing “previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in the appropriate context.”
• Suggests that companies consider the costs associated with cybersecurity measures and incidents. This includes, but is not limited to, costs associated with implementing preventive measures, maintaining insurance, and loss of intellectual property when evaluating cybersecurity risk factor disclosure.
• Makes clear the agency’s expectation that “information about the range and magnitude of the financial impacts of a cybersecurity incident” be incorporated into financial statements.

The guidance is not limited to future disclosures only — it calls on companies to revise prior disclosures as well.

Insurance and Risk Implications

With the SEC now focusing more on cybersecurity disclosures at the company and board level, risk managers should:

• Work with insurance advisors to analyze current D&O programs to ensure their limits are sufficient.
• Determine the extent of regulatory investigation coverage, which is not always included in corporate D&O policies.
• Review cyber policies, making sure they have sufficient cyber coverage in place.

Senior leaders and boards should work with corporate counsel to understand and address their responsibilities under the new guidance.

Eventually, the SEC may issue more formal rules about companies’ cybersecurity disclosure obligations. Until then, if enforcement actions and litigation increase as we expect, risk professionals and boards should be ready.