The cybersecurity landscape is evolving rapidly, and the recent SEC (Securities and Exchange Commission) rules have added a new layer of complexity for public companies. Jeremy King of Olshan Frome Wolosky has delved into the crucial issues surrounding cyber risk management and the implications of these rules. Below we explore the insights shared by Bloomberg Law News on how these rules are reshaping the cyber insurance industry.
Understanding the New Rules
The SEC’s latest regulations are twofold: they require the immediate reporting of material cybersecurity incidents and annual reporting on the management of material risks associated with cybersecurity threats. Under the incident reporting rule, companies must disclose significant cybersecurity incidents within four business days, with limited exceptions. This necessitates a robust cyber threat analysis and response plan, including considerations of insurance policy obligations. The annual reporting rule introduces potential liabilities for board members and executives.
Impact on the Cyber Insurance Market
The cyber insurance market has seen significant growth, with direct written cyber insurance premiums soaring from $2 billion in 2018 to over $7 billion in 2022, as reported by Fitch Ratings. However, the market has been marked by rate fluctuations, with a 15% increase in the fourth quarter of 2022 compared to 34% the previous year. This, coupled with the growing demand due to cybersecurity incidents and the uncertainty surrounding the SEC rules, has prompted public companies to proactively develop cybersecurity risk management plans that include insurance components.
Emerging Risk Management Concerns
As companies adapt to the changing landscape, several critical risk management issues emerge:
- Management Liability: While many cyber liability policies contain limited coverage for management, directors and officers (D&O) insurance policies may have language that excludes cyber-related losses. Anticipating how new management liability risks will be covered is crucial.
- Direct Losses: The new SEC rules do not define materiality for cyber risks, potentially leading to multifaceted losses. Risk management programs must address data loss, server damage, and income loss due to cyber incidents.
- Consistent Reporting: Public reporting of cybersecurity governance and risk management necessitates intra-company coordination during the underwriting process to ensure data accuracy.
- Social Engineering: Despite robust security measures, losses from scams like phishing still occur. Insurance programs should be reviewed to cover such fraud.
- Coordinated Response: Many cyber insurance products specify who will investigate and respond to an incident. Companies need to address approval for preferred vendors or pre-existing response teams in their policies.
These issues highlight the need for tailored risk management programs. As the cyber insurance market matures to adapt to changing regulatory environments, underwriting sophisticated coverage programs is likely to become more complex.
The new SEC rules are reshaping the cyber insurance industry landscape, emphasizing the importance of a considered risk management plan. Timely advice from experienced counsel is crucial to maximize available benefits and minimize the impact of cyber incidents in this ever-evolving arena. You can read the full analysis here.
Source: New SEC Rules Add Challenges in Uncertain Cyber Insurance Market