We’ve reported extensively on the new SEC rules requiring disclosure of material cyber events by US public companies (see the full reg and legal analysis of it and its implications here.)
The new regulatory regime is just starting. A couple recent examples are the 8K disclosures file by Caesars, relatively detailed and with what we take as an allusion to a ransomware payment, and MGM resorts, which essentially just refers to a brief, somewhat vague online press release, after their recent hacks.
The issue of how detailed these disclosures should be is sure to be the subject of bureaucratic and legal wrangling based on the SEC regs. Another issue now arising is potential confusion or even conflict among various insurance policies held by an insured. We wrote about this challenge in regard to D&O versus cyber coverage (read the report here). A new report is providing more detail on this topic and a warning to management in companies falling under the SEC guidelines.
“Derivative and securities-related lawsuits generally fall within a company’s directors and officers insurance program. However, D&O policies may contain language that precludes coverage for losses arising from cyber incidents or hacking. Others may include invasion of privacy within exclusionary language applying to bodily injury claims. While some cyber liability policies contain limited coverage for management, the best course is to anticipate how new management liability risks will be covered rather than litigate how current D&O policy language applies to a lawsuit…,” says an article (read here) writes Jeremy King of the law firm Olshan.
The report has interesting analysis on some other issues raised by SEC-required cyber disclosures.