Materiality Matters: D&O Insurers Seek Clarity On SEC Disclosure Rules

The U.S. Securities and Exchange Commission adopted final rules almost a year ago in July 2023 requiring public companies to disclose both material cybersecurity incidents and material information regarding their cybersecurity risk management. However, for directors and officers and their insurers, questions remain about how to actually define a material incident.

“What is material?” asked Rita Perez, head of financial lines claims, North America, at AIG. “We don’t know what the answer to that is, and I think that’s where the insurance industry is struggling too from a coverage standpoint.”

Perez was speaking on a panel about the regulatory landscape and D&O coverage at the Professional Liability Underwriting Society’s 2024 D&O Symposium in New York City.

“I think in my experience since I joined private practice as a reform regulator, what I’m observing is people really struggling with making materiality determinations because it’s not always a quantitative assessment,” said Aliceson Kristina Littman, partner at Willkie Farr & Gallagher LLP.

Prior to joining private practice, Littman served as chief of the Crypto Assets and Cyber Unit in the Division of Enforcement of the SEC, where she said companies were struggling to define the materiality of an incident even prior to the new disclosure rules.

“Certainly, when I was at the SEC and I was talking to defense counsel, we were investigating a company for a failed disclosure, and they would always argue, ‘Oh, well this is a system that’s only used by this one business line, and that business line is a very small part of our revenue,'” she said. “And I would say, ‘I don’t think that matters that much. We’re talking about data relating to children.’ So if it’s a qualitatively material incident because of the nature of the information that’s compromised, we may still need to make a disclosure. And I think that’s where those assessments just get really tricky.”

Litigation Volatility

The SEC rules, originally proposed in March 2022, not only require disclosure within four days of any cybersecurity incident a public company believes is material in nature, scope, timing and impact, but the rules also require public companies to describe their process for assessing, identifying and managing cyber risk, as well as the likely effects of a cyber incident on their company. This also means that companies will be required to describe their board of directors’ and management’s role in overseeing cyber risks.

Erik Gerding, director of the Division of Corporation at the SEC said in December remarks that the aim of the rules is to provide investors with timely, consistent, and comparable information about an important set of risks that can cause significant losses to public companies and their investors.

But the insurance industry sees challenges on the horizon.

Jim Rizzo, product leader for U.S. D&O and executive risks at Beazley, predicted last year on The Insuring Cyber Podcast that for D&O insurers, the rules may create potential volatility in the form of litigation.

“I foresee underwriters sounding a little bit more like cyber underwriters in their meetings with the types of questions that we have to ask to get a better foundation and understanding of how our insureds are prepared both pre- and post-event,” he said, adding that companies could likely be scrutinized for their pre-event posture, their post-event disclosures, as well as the handling of the event itself. “All of these critiques will come from the benefit of hindsight, which can result in material litigation expense for our insureds as well as the carriers.”

Littman echoed these thoughts, adding that the SEC is likely to pursue cases against individuals at an increasing rate to drive corporate accountability around these issues.

“I think there’s a general view at the SEC right now among the leadership there that cyber incidents at public issuers – all companies really – are under-disclosed and that there are more incidents than investors know about and that investors are hearing about,” she said. “This isn’t new, but it’s certainly true of the current administration. This kind of perennial view that individual accountability drives corporate accountability.”

She said more companies are likely to see multiple SEC actions with charges brought against individuals.

“The view is that if you start bringing charges against individuals, you really start to affect change because if individuals think that their own neck is on the line then they might be more inclined to do a better job,” she said. “I do think they’re always looking for individuals. I mean that’s kind of the unfortunate reality, and I think you’re going to hear a lot of CISOs making sure that their D&O policies are effective.”

Defense Costs

Perez said, however, that liability itself ultimately shouldn’t be the main question from a D&O carrier standpoint. “It’s the defense cost exposure,” she said. “You can easily eat through a primary policy with defense costs alone and probably go up the tower with defense costs alone.”

She said particularly in the regulatory space when an individual’s ability to find future employment or the likelihood of criminal charges is being questioned, cases are typically more heavily defended.

“You have multiple law firms, with each individual represented by a different firm and ensuring that they are adequately represented by appropriate defense counsel. These conflicts often cost a lot,” she said. “You have sometimes, with large public companies, 10 or 12 different firms involved in defending these SEC investigations, which gets really, really expensive. That just increases the cost astronomically.”

This means determining adequate coverage is important, she said.

“It’s really important that insureds and CISOs are working closely with their brokers and with their advisors on figuring out what exactly they have purchased,” she said. “It’s less about what coverage they have and more making sure they understand what coverage they have in advance of the issue arising. Because I think what we find in the claims arena is that CISOs often think they have coverage for things that they don’t, and that comes with surprise to them because they’re not thinking about it in advance of the issue.”

Whether coverage is available for a regulatory investigation depends on whether it’s a public or private company form, she said, adding that there is generally not coverage available in a public company form without the purchase of additional coverage or an endorsement. With respect to individuals, either type of policy will generally provide defense cost coverage for the regulatory investigation, she said.

Pre-inquiry coverage is also available, meaning an individual can gain some defense cost coverage from the time they start becoming a target of an investigation, she added.

Staying Prepared

Indeed, Rizzo said on The Insuring Cyber Podcast that the best way to avoid these extra expenses is to be prepared, engage experts, and examine the company’s suite of products to ensure there aren’t any coverage gaps. “Hopefully, this will improve the overall cyber posture and risk management practices of our clients,” he said.

Panelists at PLUS D&O echoed these thoughts.

“I’ll say, in practice, I kind of didn’t expect [the rules] to change much,” Littman said. “But I have observed – at least among my clients when they have an incident, or even when they don’t have an incident but a vendor that they work with has an incident or someone that they provide services to has an incident – I’ve seen an uptick in the internal process around assessing materiality and making sure that, first of all, they’re approaching it from the right mindset because assessing materiality is difficult in these circumstances a lot of the time, but also that they’re documenting it internally (and) appropriately.”

While determining materiality is proving to be a challenge, she said a silver lining is that these questions are making insurers and insureds think more carefully about the cyber procedures and coverage they have in place to protect themselves.

“[The SEC does] want you to make that determination without unreasonable delay. I don’t think anyone wants to be the poster child for what that means. So I recommend trying hard to figure out if something is material as quickly as you can and determining whether or not to make a disclosure,” she said. “It does make companies a little more introspective and make sure that they have adequate programs in place so that if they’re hit with a cyber incident, they have internal policies to assess the incident, determine the materiality, and assess whether or not they need to make a disclosure.”