SEC Implements Rules on Cybersecurity and Incident Disclosure by Public Companies

In July of 2023, the Securities and Exchange Commission (SEC) adopted rules requiring public companies to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance.

The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope and timing, as well as its material impact or reasonably likely material impact on the company. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.

The new rules also add Regulation S-K Item 106, which will require public companies to describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant's annual report on Form 10-K.

Why Do the SEC Cyber Disclosures Matter to Public Companies?

The SEC’s implementation of new cyber disclosure rules marks a significant step in addressing the growing importance of cybersecurity in the realm of corporate governance and investor protection. These rules require public companies to provide more comprehensive and transparent disclosures regarding their cybersecurity risks and incidents. By mandating clearer communication about cybersecurity matters, the SEC aims to enhance market transparency, facilitate informed investment decisions and bolster cybersecurity resilience across industries.

However, the introduction of these new cyber disclosure rules also raises concerns about potential legal ramifications, including the risk of triggering securities class action lawsuits. The expanded disclosure requirements expose companies to greater scrutiny regarding their cybersecurity practices and the adequacy of their risk management measures. Inadequate or misleading disclosures could potentially lead to allegations of securities law violations, such as misrepresentation or omission of material information, thereby laying the groundwork for securities class actions.

One area of particular focus is the potential for discrepancies between a company's public disclosures and the underlying reality of its cybersecurity position. If investors perceive that a company has downplayed or obscured the severity of cybersecurity risks or incidents, they may pursue legal action alleging violations of securities laws. Plaintiffs in securities class actions could argue that they suffered financial losses due to the company's failure to disclose material information about cybersecurity vulnerabilities, breaches or regulatory investigations.

Moreover, the SEC's cyber disclosure rules may prompt plaintiffs' attorneys to scrutinize companies' cybersecurity disclosures more closely, searching for discrepancies or inconsistencies that could serve as the basis for litigation. As a result, companies face heightened pressure to ensure the accuracy and completeness of their cyber-related disclosures, as any perceived deficiencies could potentially expose them to legal liability and reputational damage.

How Can Public Companies Mitigate the Risk of These Types of Security Class Action Suits?

Securities class actions represent a complex legal process that typically unfolds in several stages, each with its own set of challenges and considerations. The lifecycle of a securities class action often begins with an event that triggers allegations of securities law violations, such as misrepresentation or omission of material information by a company. Following this trigger event, plaintiffs, often shareholders, file a lawsuit against the company, alleging that the actions or disclosures of the company and its executives have caused financial harm. This initiates the litigation phase, during which both parties engage in extensive discovery, motion practice and potentially settlement negotiations or trial proceedings.

To mitigate the risk of securities class actions stemming from the SEC's new cyber disclosure rules, companies must prioritize transparency, diligence and compliance in their cybersecurity reporting practices. This entails conducting thorough risk assessments, implementing robust cybersecurity controls and incident response protocols, and providing clear and timely disclosures to investors about material cybersecurity risks and incidents. Companies should also seek guidance from legal and cybersecurity experts to ensure compliance with regulatory requirements and to minimize exposure to litigation risks.

During the early stages of a securities class action, the company's directors and officers may face significant personal exposure to liability. Allegations of wrongdoing often extend beyond the corporation itself to individual executives, who may be accused of breaching their fiduciary duties, engaging in insider trading or making false statements to investors. Directors and officers' liability insurance (D&O insurance) can play a crucial role in mitigating the financial risks associated with these allegations. D&O insurance provides coverage for legal expenses, settlements and judgments arising from claims against directors and officers, offering them a measure of protection against personal financial loss.

The Lifecycle of a Securities Class Action and How D&O Insurance Comes into Play

As the securities class action progresses, the company and its directors and officers may face mounting legal costs and potential liabilities. D&O insurance can help by providing access to experienced defense counsel and covering the expenses associated with defending against the allegations. This includes costs related to responding to subpoenas, attending depositions and preparing expert witness testimony. Moreover, D&O insurance policies may offer coverage for settlement payments or judgments entered against directors and officers, thereby safeguarding their personal assets and financial well-being.

Settlement negotiations often represent a pivotal juncture in the lifecycle of a securities class action. Companies and their insurers may weigh the costs and uncertainties of continued litigation against the potential benefits of reaching a settlement. D&O insurance can facilitate these negotiations by providing financial resources to fund settlement payments within the policy limits. Additionally, D&O insurers may contribute valuable expertise and insights into the evaluation of settlement proposals, helping directors and officers make informed decisions about resolving the litigation.

Ultimately, the resolution of a securities class action can take various forms, including dismissal, settlement or judgment following trial. Throughout this process, D&O insurance serves as a critical risk management tool, enabling directors and officers to fulfill their duties without fear of personal financial ruin.

Get Help with Public Company D&O Coverage

Today’s complex, litigious and often unpredictable business environment puts even the most experienced and dedicated executives at risk. If you ask Is our company aware of our potential security class action risk exposure or How much D&O coverage is enough, we can help. Hylant’s executive risk experts offer cost-effective programs tailored to your organization’s risk management needs, helping you confidently lead your company.

The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.