As cyber incidents grow more sophisticated and frequent, public companies are encountering increased scrutiny from the SEC (Securities and Exchange Commission) especially around cyber incident response procedures and disclosures. Following the release of cybersecurity disclosure rules in 2023, the SEC has ramped up enforcement efforts. This year, it also announced the creation of a Cyber and Emerging Technologies Unit.

“We’ve seen a growing number of SEC enforcement actions tied to how companies handle disclosures related to cyber incidents,” said Meredith Brown, head of U.S. cyber and E&O, QBE North America. “Given the increasing regulatory scrutiny, it’s critical for companies to regularly review and refine their cyber incident response plans and disclosure processes to ensure compliance.”

The heightened enforcement has many public companies asking how their insurance coverage would respond — especially as cyber incidents become more complex. Some carriers, like QBE, are stepping up with coverage enhancements designed to address this uncertainty.

How Does Insurance Respond to New Regulatory Actions?

Meredith Brown, head of U.S. cyber and E&O, QBE North America

“Traditional cyber policies typically tie regulatory actions to specific privacy events,” Brown said. “The trigger is usually a violation of a privacy regulation, but SEC regulations are not privacy regulations.”

This creates an avenue for enforcement around cyber events that are not contemplated by cyber policies. As the SEC steps up its enforcement activity, more insureds are likely to submit these types of claims. Many of these claims could also have a D&O component as well since SEC actions often name an individual.

“While D&O policies may cover certain exposures, they often don’t address the associated risks and there could be a gap in coverage depending on the focus of the enforcement action,” Brown said.

New Regulations Call for More Support

With more scrutiny from the SEC, public companies must enhance their risk management efforts — especially in the immediate aftermath of a cyberattack.

While many companies already have incident response plans – in addition to cybersecurity professionals and attorneys who are well versed in breach response – they should consider bringing in legal experts who have experience with SEC disclosure requirements.

External counsel can help ensure accuracy in disclosures and reduce the risk of increased regulatory attention. This support is especially valuable given the relatively recent and still-evolving nature of the SEC’s rules.

Companies should also closely monitor emerging technologies, as the SEC appears to be poised to pursue these types of investigations. As organizations adopt new digital tools, their risk exposure grows and so must their preparation.

“The SEC announced a Cyber and Emerging Technologies Unit to help protect retail investors,” Brown said. “Their focus includes compliance in the use of emerging technologies like Artificial Intelligence.”  She added, “This move reinforces the need for companies to strengthen their incident response frameworks and ensure the proper disclosure of cybersecurity incidents.”

Two Coverage Enhancements to Respond to Increased Regulatory Scrutiny

To help companies navigate this increasingly complex environment, QBE has introduced two new coverage enhancements.

The first is an SEC Disclosure Costs Coverage. This enhancement covers costs associated with engaging external legal counsel to advise on post cyberattack compliance with SEC regulations. This coverage is “crucial,” Brown explained, because legal experts with SEC experience can help companies understand exactly what is required by the SEC post incident.

The second is an Enhanced SEC Regulatory Coverage. This enhancement provides coverage for violations of SEC regulations—addressing a gap in traditional cyber policies, which typically only cover privacy-related regulatory violations.

“This enhancement directly addresses that gap,” Brown said. “Together, these additions help companies feel confident they have the coverage they need to protect their businesses as the SEC’s approach continues to evolve.”

The response from brokers has already been “very positive,” Brown said, indicating the market’s demand for cyber insurance solutions that better protect public companies.

To learn more, visit: https://www.qbe.com/us/cyber.

QBE makes no warranty, representation, or guarantee regarding the information herein or the suitability of these suggestions or information for any particular purpose. QBE hereby disclaims any and all liability concerning the information contained herein and the suggestions herein made. Moreover, it cannot be assumed that every acceptable risk transfer procedure is contained herein or that unusual or abnormal circumstances may not warrant or require further or additional risk transfer policies and/or procedures. The use of any of the information or suggestions described herein does not amend, modify, or supplement any insurance policy. Consult the actual policy or your agent for details about your coverage. QBE and the links logo are registered service marks of QBE Insurance Group Limited. © 2024 QBE Holdings, Inc.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with QBE North America. The editorial staff of Risk & Insurance had no role in its preparation.