Print This Article

On July 26, 2023, the SEC announced its adoption of rules requiring registrants to disclose material cybersecurity incidents they experience (generally, within four business days after determining that such an incident is material) and to make annual disclosures concerning their cybersecurity risk management, strategy, and governance. Although the SEC acknowledged that “many public companies” already provide “cybersecurity disclosure to investors,” the SEC’s adoption of this new rule that specifically requires cybersecurity disclosures underscores the significant attention to the issue.

Cybersecurity exposures have become increasingly significant for companies and their directors and officers (D&Os). The focus of consumers, shareholders, and government bodies on corporate cybersecurity practices, data breaches, and related public disclosures evidences that cyber exposure is a D&O risk. In the U.S., for example, the former chief information security officer (CISO) of a ride-hailing company recently was sentenced to three years’ probation and a $50,000 fine in a data breach-related federal criminal case. By way of further example, an IT management software company and its D&Os (including its CISO) have been embroiled in state and federal court shareholder litigation asserting securities and derivative claims arising out of a data breach, with the company and other defendants recently agreeing to settle a securities class action for $26 million and the company disclosing that it and certain of its current and former officers and employees (including its CISO) had received Wells Notices from the SEC.

In light of the enhanced cybersecurity exposures that companies face, including those described above, buyers should work with an experienced insurance broker to optimize individual coverage for D&Os (including their CISOs) in the event of, among other things, a data breach, cyber-related shareholder litigation, and cyber-related government investigations and lawsuits.

Read more about the risk management considerations in the wake of the SEC’s new cybersecurity disclosure rule here.

Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or tax advisors on any commentary provided by Aon. The information contained in this document and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity.