As companies continue to transition to digital technologies to run their businesses, cyber-related risk exposures and the severity of cyber-related incidents continue to increase. For public companies, this has translated into interesting developments in the disclosure of cyber-related governance, risks and incidents.
The evolution of disclosure
Public companies listed on a US stock exchange have an ongoing obligation to disclose information that would be material to an investor’s investment decision. For US domestic issuers, they are the two disclosure documents that provide the best window into a company’s financial performance, material risks and corporate governance structure, including its risk management strategy, its annual report on Form 1
0-K and the proxy statement for its annual general meeting.Take Microsoft Corp., for example. In its 10-K filed in 2010, it lumped the risk of a major cyberattack into its discussion of other catastrophic risks, such as a major earthquake, weather event or terrorist attack. Those risks took about half a page. That same year, Microsoft’s management-related risk monitoring discussion did not mention cybersecurity. Note that Microsoft was not alone in how it approached cyber-related disclosure at the time.
Fast-forward to Microsoft’s latest filings: Cybersecurity risk, data privacy and platform abuse take up four pages of the risk disclosure. Microsoft also provides robust information on how its board and management team oversee cybersecurity risks.
This approach has become common. Notably, some companies have begun to refer to cyber liability insurance in their risk discussions. A common formulation looks like this:
“Although we currently maintain errors, omissions and cyber liability insurance covering security and privacy damages, this insurance is limited in scope and subject to exclusions, conditions and limitations of coverage and may not cover any or even a substantial portion of the costs associated with any breach of our information systems or confidential information. Additionally, we cannot be certain that the insurance we currently have will continue to be available to us at rates that we believe are commercially reasonable.”
How did we get from minor references to cyber risk to several pages worth of related disclosure? Four events stand out in my mind.
The first is guidance issued by the US Securities and Exchange Commission in 2011 that expressed the regulator’s views on disclosure obligations related to cybersecurity risks and incidents.
The second is a combination of major data breaches, including a 2013 attack on Yahoo Inc. and a 2017 breach of Equifax Inc. — the credit reporting agency had $125 million in cyber liability insurance at the time of the breach, and so far the breach has cost the company about $2 billion. It was around this time that more companies began to mention cyber liability insurance in their filings.
The third event was the SEC’s 2018 update of its 2011 guidance. While the SEC provided more color around disclosure, including specifically referring to insurance, the fact that it was only guidance led to different approaches to disclosure.
Finally, not satisfied with the state of cyber-related disclosures, in March 2022 the SEC issued proposed rules that would require cybersecurity risk management, strategy, governance and incident disclosure by public companies.
Why disclosure is important
From an investor perspective, robust corporate disclosure of exposure to cyber security threats and how the company manages those threats strengthens investors’ ability to make informed investment decisions.
Securities fraud charges have been filed against some companies that have suffered cyber breaches. Plaintiffs have alleged that companies concealed known risks or vulnerabilities, and in some cases have brought lawsuits against boards and management for alleged failure to perform their oversight duties of material risks—cyber risk is a material risk that seems to permeate all industries. From a corporate perspective, robust corporate disclosure in this area, along with strong related governance practices and risk management strategies, can help provide a foundation for businesses to defend against these types of lawsuits.
Another reason why this type of disclosure is important is that it requires a company to go through the exercise of assessing its risk exposure, related processes and benchmarking against comparable companies. The benefits of this exercise include improved information and improved cyber risk management and governance processes.
What comes next?
Some public companies have already responded to the SEC’s proposed cybersecurity disclosure rules by improving cyber-related disclosures, reassessing management and board expertise, and improving governance and/or risk management controls. Those of us in the insurance and risk management industry expect cyber-related information to change in three ways.
1. Increased disclosure of cyber risks and incidents: Disclosures around cyber risks and incidents will become more detailed and specific, as investors and regulators like the SEC demand more transparency and accountability. The SEC’s proposed rules have accelerated the move for some companies and given others a road map on how to improve. As an example of the latter, Hanesbrands Inc. publicly reported that it had been subject to a ransomware attack in May 2022. Its disclosure generally followed what was prescribed in the SEC’s proposed cybersecurity disclosure rules issued a few months earlier.
2. More information on cyber risk management: Companies will disclose more information about their cyber risk management practices. The SEC’s proposed rules specifically require companies to disclose whether they have any directors with cybersecurity expertise. For those boards that do not have directors with cyber expertise, we should expect to see more discussion about how the board is informed, educated and advised on this topic. We should also expect to see more cybersecurity experts promoted to or recruited into the C-suite as chief information security officers.
3. Increased information on insurance coverage: While many companies have already begun to incorporate general cyber liability insurance information into their cyber risk discussion, we should expect to see this continue, especially as coverage limitations and exclusions in cyber liability insurance can present their own risks. However, we shouldn’t expect—nor is it a very good idea—for companies to be overly forthcoming about the details of their cyber liability insurance programs, including the actual limits they purchase. No one wants to see this otherwise good reveal turn into a target for bad actors.
Sight
As disclosure in this area continues to expand, the breadth of information available to investors, regulators, plaintiffs’ attorneys, and those of us in the risk management and insurance industries will increase. This should allow us to better assess a company’s overall risk profile to improve cybersecurity risk mitigation strategies and develop tailored cyber liability insurance programs.
Lenin Lopez is a securities attorney at Woodruff Sawyer & Co. in San Francisco. He can be reached at llopez@woodruffsawyer.com.
Source link
