Featured Article Archive  | Subscribe to our featured articles >>

Aon  |  Financial Services Group
SEC’s Enforcement Action Further Underscores Cyber Risks

Release Date: November 2023

In July 2023, the U.S. Securities and Exchange Commission (SEC) adopted new cyber-related disclosure rules, and the Financial Services Group at Aon discussed the increasing cybersecurity risks that companies and their directors and officers (D&Os) face. Many of these risks have materialized in a recent case against a network management software company (the Company).

In 2019, the Company fell victim to what the U.S. Government Accountability Office deems “one of the most widespread and sophisticated hacking campaigns ever conducted against the federal government and private sector” – a “campaign of cyberattacks” that were “perpetrated by the Russian Foreign Intelligence Service” and that compromised nearly 18,000 customers’ systems.

These cyberattacks and the claims that followed have spotlighted significant D&O exposures tied to cybersecurity, the importance of cyber-related controls to minimize such risks and the role that insurance can play to further manage these risks, including for professional service firms.


Cyber Risk Remains D&O Risk

Our prior update discussed the Company’s public disclosure that the SEC staff had issued Wells Notices to the Company and several of its D&Os, including its chief information security officer (CISO), alleging federal securities laws violations arising out of the cyberattacks. On October 30, 2023, the SEC sued the Company and its CISO in federal court in Manhattan, evidencing the Commission’s authorization of the civil enforcement actions contemplated in the Wells Notices.

The SEC’s enforcement action against the Company and its CISO is notable for several reasons. According to the Wall Street Journal, the action marks the first time that a securities regulator has brought civil fraud claims against a public company over a cyberattack. Moreover, it has been unusual for public company CISOs, as opposed to chief executive and chief financial officers, to be targeted by the government in securities enforcement activity.

Equally notable are the federal securities laws violations that the SEC alleges. The SEC’s complaint asserts certain claims under oft-used Section 17(a) of the Securities Act of 1933, Section 10(b) of the Securities Exchange Act of 1934 (Exchange Act) and Rule 10b-5 thereunder, and Section 13 of the Exchange Act and various rules thereunder. Less typical, however, are the SEC’s claims that:

  • The CISO aided and abetted each of the company’s alleged violations based on (among other things) his statements, internal company communications, and allegedly false sub-certifications that senior management relied on in connection with the company’s periodic SEC reporting; and

  • The company violated Section 13(b)(2)(B) of the Exchange Act and Exchange Act Rule 13a-15(a) by failing to devise and maintain sufficient internal accounting controls concerning access to the company’s assets and sufficient internal disclosure controls concerning accumulation and upward reporting to senior management of information required to be reported in the company’s SEC filings.

In announcing the SEC’s lawsuit, the Director of the SEC’s Division of Enforcement ominously warned that the action not only targets the specific named defendants for their alleged violations of law, but also more broadly “underscores [the SEC’s] message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

This SEC admonition and enforcement action, the new cyber disclosure rules and the other cyber-related D&O claims that have been brought accentuate the fact that cyber risk is D&O risk. To manage that risk, insureds are encouraged to regularly audit their D&O liability policies, considering their organizational documents’ indemnification provisions and indemnification agreements with any D&Os. In conducting such a D&O policy audit, insureds should consider which D&Os are identified as “Insured Persons,” the definition of which may vary from policy to policy. Dedicated Side A policies should be considered and reviewed in detail as well. Moreover, in light of the SEC’s internal control claims described above, insureds should be prepared to respond to insurance underwriters’ questions regarding cyber-related internal controls. An experienced broker can help navigate these issues and aid in optimizing coverage for cyber-related D&O claims.


Cyber Risk Remains a Substantial Exposure in Its Own Right

With the SEC’s adoption of its new cyber disclosure rules, companies are now required to file current reports on Form 8-K to disclose (generally within four business days) certain information concerning material cybersecurity incidents. The new rules also will require companies to disclose information regarding the cybersecurity risk management and associated risk strategy in their annual Form 10-K filings. Among other things, the rules will require that such disclosures include information about the company's processes for managing cybersecurity threats and whether risks from cybersecurity threats have materially affected the company. The new rules also will require disclosure of information about a company's cybersecurity governance, including management and board oversight of cybersecurity practices. The SEC will also require covered foreign companies to make comparable periodic disclosures.

In formulating cybersecurity risk management strategies, the new 10-K disclosure rules will require companies to assess:

  • Whether they have processes for the assessment, identification, and management of material risks from cybersecurity threats.
  • Whether and how these processes have been integrated into the company's overall risk management system or processes.
  • Whether the company engages assessors, consultants, auditors or other third parties in connection with such processes.
  • Whether the company has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.

Companies should consider reviewing their incident response plans to ensure that the new disclosure rules are reflected in those plans. In addition to assessing incident response risk management, companies will need to assess their corporate governance in connection with cybersecurity. The new 10-K disclosure rules will prompt companies to assess among other things:

  • Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members.
  • The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, remediation of cybersecurity incidents.
  • Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

Given the heightened attention to both cybersecurity risk management and cybersecurity governance, companies should also assess their risk transfer practices. Companies should assess whether their cyber insurance program is adequate from a coverage and limits perspective and whether their D&O insurance adequately protects D&Os from cyber-related risks. Companies should also assess vendor contracts for cybersecurity incident protections and risk transfer obligations. Discussions with your organization's insurance broker can be essential to ensuring that insurance assets are part of and tailored in line with the company's cybersecurity risk management strategy.


Cyber Risk Remains an Important Consideration for Professional Service Firms

Most professional services firms, being privately held, might consider themselves substantially immune from SEC regulations and the type of actions discussed above. However, in many ways their situation is similar to the public companies that have faced cyber-related D&O litigation. Senior management have the same responsibility to their owners, stakeholders and clients: to appropriately secure the business against threats, of which cyber threats are among the most pressing.

In addition to this responsibility, professional services firms also count many SEC regulated entities among their clients and hold their sensitive and confidential information, which they are expected to keep confidential. This has led to some interactions with the SEC, including one where the SEC is taking legal action against a law firm affected by a cyber breach to obtain information about impacted clients.

Executives of professional service firms are therefore in some ways under more complex and onerous professional obligations than the D&Os of the corporations they serve. They must manage the cyber risk of their own organization and also understand and deal with broader cyber risk that has implications for their clients and the SEC. Cyber risk, therefore, is Management Liability risk.




Contact


Discuss this article with Financial Services Group’s Timothy Fletcher and Nicholas Reider, Cyber Solutions Group’s Shruti Engstrom and Professional Services Practice’s Tom Ricketts.

Timothy Fletcher

Timothy Fletcher
CEO, Financial Services Group
Los Angeles



Nicholas-Reider

Nicholas Reider
Senior Vice President, Deputy D&O Product Leader – West
Denver





Shruti Engstrom

Shruti Engstrom
Senior Vice President
New York





tom-ricketts

Tom Ricketts
Managing Director
New York