Cyber Insurance and Form 8-K, Where Security Becomes A Securities Risk

With recently enacted Securities Exchange Commission (SEC) cybersecurity incident disclosure requirements, should a cyber insurer take on the burden of mitigating SEC regulatory risk traditionally borne by Directors and Officers (D&O) insurers?

Publicly traded companies are required to file a “Current Report” on Form 8-K to provide timely notice to investors of certain events that could have the potential to result in a change to the company, including any event that may have an effect on stock price. This could include certain events specified by the SEC or events that the company considers sufficiently noteworthy.[1] Typically, the report must be filed within four (4) business days after occurrence of the specified event.[2] The SEC added Item 1.05, “Material Cyber Incidents”, to Form 8-K as of July 26, 2023, and now companies are required to disclose a cybersecurity incident that it determines to be “material”.[3] While materiality is not a defined term, historically, in relation to securities law, materiality has been defined as “a substantial likelihood that the … fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”[4]

Cyberattacks are increasing at a rapid rate, with a seventy-two percent (72%) increase in data breaches from 2021 to 2023.[5] Ransomware, or some other form of extortion, is present in approximately thirty-three percent (33%) of data breaches.[6] In 2023 alone, there were 2,365 cyberattacks impacting approximately 343 million victims and business email compromise accounted for over $2.9 billion in losses.[7]

Cybersecurity incidents can have a devastating effect on a company’s stock price as amplified by the SolarWinds[8] case and its progeny. Specifically, the 2023 lawsuit brought by the SEC against SolarWinds alleged that SolarWinds defrauded and misled investors by overstating its cybersecurity practices and failing to disclose in its 8-K filing known risks after suffering a two-year long “SUNBURST”[9] cyber-attack.[10] As a result of SolarWinds’ deficient Form 8-K filing coming to light, its stock price dropped twenty-five percent (25%) in two days, and thirty-five percent (35%) by the end of the month.[11]

Because of the increase in frequency/number of cyberattacks and the effect on a company’s stock price, it is likely that the SEC will increase enforcement actions against companies who do not comply with 8-K disclosure requirements relating to cybersecurity incidents. On October 22, 2024, the SEC charged four additional companies “with making materially misleading disclosures regarding cybersecurity risks and intrusions[,]” which resulted from “an investigation involving public companies potentially impacted by the compromise of SolarWinds’ Orion software and by other related activity.”[12] The companies agreed to pay civil penalties as settlement of the charges in amounts ranging from $990,000 to $4 million.[13]

According to SEC Chair Gary Gensler, “‘[w]hether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors[.]’”[14] While many public companies provide cybersecurity disclosures to investors already, “companies and investors alike … would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”[15] Therefore, requiring companies to disclose this information will benefit investors, companies, and the markets connecting them.”[16]

Companies now run the risk of additional actions from the SEC alleging that the company failed to comply with the new cybersecurity incident reporting, risk management, or governance requirements. As demonstrated by the SolarWinds’ lawsuit, a cyberattack has the potential to devastate a company’s stock price, with an average seven and a half percent (7.5%) decline in stock price after a data breach.[17] Further, the SEC filed 784 total enforcement actions in fiscal year 2023, a three percent (3%) increase from fiscal year 2022, including 501 original actions, an eight percent (8%) increase over the prior fiscal year.[18] This number may increase as companies are forced to adhere to the new cybersecurity incident reporting requirements.[19]

A potential obstacle to companies in complying with these new requirements is that a company has four (4) business days – not from the date of the cybersecurity incident – but from the date that the company determines the cybersecurity incident is “material” to file its Form 8-K.  However, as discussed above, “materiality” is not a defined term. Rather, companies must look to the historical definition of materiality from securities law and apply this historical definition to a modern-day cyber risk. The lack of clarity as to how this historical definition of materiality will apply to ever evolving cyber risks may leave companies vulnerable to SEC actions.

Shareholder lawsuits arising out of data breaches and cybersecurity incidents can cost companies millions. In 2024, data breach related securities class actions hit an all-time high, costing three companies $560 million total in settlement, which does not account for legal fees and costs.[20] Legal fees and costs incurred as a result of an SEC investigation have the potential to reach seven or eight figures.[21] D&O policies offer protection for a company and its directors, officers, managers, and board members against lawsuits.[22] On the other hand, cyber insurance provides a mix of first party coverages for a business’s direct losses and third party liability coverages for damages suffered by third parties, like customers who have their personal information or data compromised in a data breach.[23]

While SEC actions are generally a concern for D&O insurance, when the deficiency pertains to a cybersecurity incident, the argument becomes more complex. This is where cybersecurity becomes a securities risk. As a practical matter, cyber insurers may want to cover the initial costs of filing a Form 8-K arising out of a cybersecurity incident to help ensure that any cybersecurity incident is being discussed at the executive level. This will not only ensure a company is prioritizing appropriate response measures, but this may further encourage discussions at the C-Suite level about cybersecurity systems and adequacy. In a world where executives are constantly being asked to decrease expenses and increase profits to boost stock price, resources for cybersecurity (which are both capital and personnel intensive) must be properly prioritized. When executives prioritize cyber hygiene as an integral factor that can impact stock price, it stands to reason they will be a better risk than a company that does not. This opens the door for discussions about cyber insurers covering the initial costs associated with filing a Form 8-K, even if they exclude the additional costs and expenses that may follow.

References

[1] Kenton, William, SEC Form 8-K: Definition, What It Tells You, Filing Requirements, Investopedia (Aug. 18, 2024), SEC Form 8-K: Definition, What It Tells You, Filing Requirements
[2] United States Securities and Exchange Commission, Form 8-K, P. 3 (current through Oct. 31, 2024), Form 8-K (sec.gov)
[3] Id. at 11. See also U.S. Securities and Exchange Commission, SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (Jul. 26, 2023), SEC.gov | SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies
[4] TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976)
[5] St. John, Mariah, Cybersecurity Stats: Facts and Figures You Should Know, Forbes Advisor (Aug. 28, 2024), Cybersecurity Stats: Facts And Figures You Should Know – Forbes Advisor
[6] Hylender, David, Langlois, Philippe, Pinto, Alex, and Widup Suzanna, 2024 Data Breach Investigations Report, P. 7, Verizon Business (2024)
[7] St. John, supra Note 5.
[8] Sec. & Exch. Comm’n v. SolarWinds Corp., 2024 WL 3461952 (S.D.N.Y. July 18, 2024)
[9] “SUNBURST is the name of the malicious code injection that the hackers used to get into the SolarWinds Orion IT monitoring system code. Oladimeji, Saheed, Kerner, Sean, SolarWinds hack explained: Everything you need to know, TechTarget (Nov. 3, 2023), SolarWinds hack explained: Everything you need to know
[10] U.S. Securities and Exchange Commission, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures (Oct. 30, 2024), SEC.gov | SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures
[11] Id.
[12] U.S. Securities and Exchange Commission, SEC Charges Four Companies With Misleading Cyber Disclosures (Oct. 22, 2024), SEC.gov | SEC Charges Four Companies With Misleading Cyber Disclosures
[13] Id.
[14] U.S. Securities and Exchange Commission, SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (Jul. 26, 2023), SEC.gov | SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies
[15] Id.
[16] Id.
[17] Huang, Keman, Wang, Xiaoqing, Wei, William, and Madnick, The Devastating Business Impacts of a Cyber Breach, Harvard Business Review (May 4, 2023), The Devastating Business Impacts of a Cyber Breach (hbr.org)
[18] U.S. Securities and Exchange Commission, SEC Announces Enforcement Results for Fiscal Year 2023 (Nov. 14, 2023), SEC.gov | SEC Announces Enforcement Results for Fiscal Year 2023
[19] It is unclear how this will be affected by the Supreme Court’s reversal of the Chevron Doctrine, which required courts “to defer to ‘permissible’ agency interpretations of the statutes those agencies administer—even when a reviewing court reads the statute differently.” Loper Bright Enterprises v. Raimondo, 144 S. Ct. 2244 (2024)
[20] Malmstrom, David, Data Breach Securities Class Actions: Record Settlements and Investor Claims on the Rise, Harvard Law School Forum on Corporate Governance (Aug. 21, 2024), Data Breach Securities Class Actions: Record Settlements and Investor Claims on the Rise
[21] Newell, Walker, SEC Investigations and D&O Insurance Coverage, Woodruff Sawyer (Oct. 11, 2023), SEC Investigations and D&O Insurance Coverage | Woodruff Sawyer
[22] Aon, Directors’ and Officers’ Liability Insurance, Directors’ and Officers’ (D&O) Liability Insurance | Aon
[23] IBM, What is Cyber Insurance, What is Cyber Insurance? | IBM

Meet the Author

Zachary S. Auslander serves as Product Counsel at Bowhead Specialty Underwriters and is located in the Chicago office. He focuses on the following lines of business: Professional Liability, Casualty, and Healthcare Liability. He may be reached at zauslander@bowheadspecialty.com.