Editor’s note: The following is a guest article from Greg Van Houten, attorney at Haynes Boone, and founding partners at Naxo, Chris Tarbell and Dave Franzel.
The Securities and Exchange Commission’s new cybersecurity disclosure rules take effect on Dec. 18 and starting then, public companies must disclose material cyber incidents within four business days of determining that an incident is “material.”
Companies will also have to disclose, via their annual Form 10-K, information regarding their cybersecurity strategy, risk management and governance practices.
Given the public nature of those disclosures, the SEC’s heightened focus on cyber enforcement actions, and the active shareholder litigation landscape with respect to cyber incidents, it is critical that company leadership takes steps now to decrease risk and to prepare for the implementation of the SEC’s new rules.
What company officials need to worry about can change depending on what they oversee. Here are the central cyber considerations for the board, corporate offices and risk managers ahead of the new rules.
Considerations for board members
Elevate cyber to the board level
Boards should be well-informed about an organization’s cyber risk posture. Regular updates centered around well-curated cyber dashboards are excellent ways to provide engaging and informative material.
Internal or third-party cybersecurity professionals should drive these updates and be capable of synthesizing complex technical concepts for non-technical board members.
Prioritize cyber experience when considering future board additions
Having individuals on the board capable of independently evaluating cyber risk will increase the quality of decision-making with respect to cybersecurity.
The SEC’s new rules also require disclosure of board-level cybersecurity expertise, and a lack of board-level expertise could be scrutinized by the SEC and/or shareholders.
Comply with new disclosure rules
At a minimum, companies must disclose in their Form 10-Ks the “board’s oversight of risks from cybersecurity threats.”
If applicable, they must also “identify any board committee or subcommittee responsible” for such oversight “and describe the processes by which the board or such committee is informed about such risks.”
Considerations for corporate officers
Have a plan
Before a cyber incident is identified, know who needs to be called.
Who takes the lead in responding? Who are the law firms, forensic personnel, public relations, ransom negotiators and crisis management experts who may need to be brought in? How are critical decisions made and what are each person’s responsibilities?
All of this and more must be clearly documented in an incident response plan.
Test the plan
It is critical that the first time you run through an incident response plan is not on a real incident. Tabletop exercises are one of the most common ways to test incident response plans and can also be a great way to increase awareness of the cyber threat landscape among corporate leadership.
Tabletop exercises typically involve a third party simulating an impactful incident and coaching management through the organization’s incident response plan.
Iterate on the plan
Incident response plans must evolve with the cyber threat landscape, regulatory requirements and changes to corporate governance. It is important to update incident response plans on a regular basis as well as in response to incident post-mortems, new disclosure rules and major changes to organizational structure.
Considerations for risk managers
Ensure that the company’s cyber insurance application aligns with its Form 10-K cyber disclosures
Cyber insurers may deny coverage or void the policy if a policyholder’s application diverges from its SEC 10-K disclosures, on the basis that the application contains misrepresentations.
It is critical that companies ensure alignment between cyber insurance applications and disclosures.
Leverage the preventative cyber services offered by insurers
Many insurers offer preventative cyber services as a part of the premium, such as access to a cyber vulnerability alert system or complimentary cyber risk assessments.
Savvy risk managers consider those services when selecting a carrier and then leverage those services, for free, after policy placement, as a part of the incident response plan process or otherwise.
Negotiate the scope of any “war exclusion” in your policy
War exclusions are becoming less common in today’s cyber insurance marketplace, but risk managers should still carefully evaluate whether any such exclusions appear in policy proposals, as some insurers have denied coverage for cyber claims upon the premise that the breach arose out of an act of “war.”
If such exclusions are found in policy proposals, risk managers should consider negotiating for their removal or for the narrowing of their scope.
Seek your insurer’s approval of key cyber incident vendors
Companies should ensure that their key cyber incident vendors — legal counsel, IT forensics, public relations, crisis response teams and others — are pre-approved by their cyber insurer via an endorsement to their cyber policy.
Doing so will allow the company to focus on quickly responding to a cyber incident and not on whether the company’s insurer will approve their retention of a key vendor.
Identify and plug any gaps in insurance for securities or shareholder claims
The SEC’s new disclosure rules may give rise to an increase in securities and shareholder derivative claims, and so risk managers should take steps to ensure there are no gaps between directors and officers and cyber policies for such claims.
Gaps are most likely to occur if the company’s directors and officers policy has a broad cyber-based exclusion. With such an exclusion, there could be a gap for securities claims if the cyber policy excludes coverage for violations related to securities laws.
There could also be gap for shareholder derivative suits if the cyber policy has a broad insured versus insured exclusion, to the extent shareholders constitute “insured.”
Consider folding your insurer into your cyber incident response team
Most cyber policies forbid policyholders from admitting or assuming liability without the insurer’s written consent.
Under the SEC’s new disclosure rules, companies must scramble to issue an 8-K disclosure after a cyber incident; because those disclosures may contain statements that could be interpreted as admissions or assumptions of liability, it may be prudent to fold your cyber insurer into, and to obtain their consent with respect to, your 8-K disclosure.