Aon | Financial Services Group
Back to FSG Quick Insights | Subscribe to FSG Quick Insights >>
It was headline news when, in October 2023, the U.S. Securities and Exchange Commission (SEC) brought a civil enforcement action against an IT software vendor and its top information security officer arising out of a data breach at that vendor. Now, the SEC has trained its sights on four of the vendor’s corporate customers, charging each of them with making materially misleading disclosures after their own IT systems were compromised by virtue of the vendor data breach. These four companies, all IT services and software providers, have agreed to pay civil penalties ranging from $990,000 to $4 million. This recent wave of SEC charges is the first to emerge out of the Commission’s investigation into the adequacy of public disclosures made by downstream victims of the data breach in question.
Although each of these four companies made relevant cyber-related disclosures – indeed, some even disclosed the data breach on Form 8-K – the SEC nonetheless found their disclosures inadequate and misleading in violation of the Securities Act of 1933, the Securities Exchange Act of 1934 (’34 Act), and related rules thereunder. The SEC further found that one of the companies in question also violated certain disclosure controls and procedures provisions of the ’34 Act and rules thereunder.
Seemingly acknowledging industry sentiment that companies affected by data breaches are victims, not villains, Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, said in the SEC’s press release describing the charges: “[W]hile public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered.”
These charges reflect the SEC’s continued focus on public companies’ cybersecurity disclosures following its issuance of cybersecurity-specific disclosure rules last year and its enforcement activity since then.
The good news for public company insureds is that, whereas D&O policies traditionally have not covered public companies for costs they incur in their own right in responding to SEC investigations, many D&O insurance carriers are now offering so-called “entity investigation” coverage for public companies, usually for an additional premium. The terms and conditions of entity investigation coverage can differ – some require a concurrent related securities claim, some retroactively cover investigation costs in the event of a related claim, and still others do not require any related claim – but generally the coverage is reserved for government securities-related investigations of the entity. Public company insureds concerned about the potentially substantial expense of responding to such an investigation should consider purchasing this increasingly common coverage.
If you have any questions about your coverage or are interested in obtaining coverage, please contact your Aon broker.
About Aon
Aon (NYSE: AON) exists to shape decisions for the better — to protect and enrich the lives of people around the world. Through actionable analytic insight, globally integrated Risk Capital and Human Capital expertise, and locally relevant solutions, our colleagues provide clients in over 120 countries with the clarity and confidence to make better risk and people decisions that help protect and grow their businesses.
Follow Aon on LinkedIn, X, Facebook and Instagram. Stay up-to-date by visiting Aon’s newsroom and sign up for news alerts here.
©2024 Aon plc. All rights reserved.
Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or insurance advisors on any commentary provided herein. All descriptions, summaries or highlights of coverage described herein are for general informational purposes only and do not amend, alter or modify the actual terms and conditions of any relevant policy. Coverage is governed only by the terms and conditions of such policy. Insurance coverage in any particular case will depend upon the type of policy in effect, the terms, conditions and exclusions in any such policy, and the facts of each unique situation. No representation is made that any specific insurance coverage would apply in the circumstances outlined herein. Please refer to the individual policy forms for specific coverage details.
The information contained in this document and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity.
This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.
Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.