Publicly traded companies are generally required to disclose information that a reasonable investor would consider important to make an investment decision. The Securities and Exchange Commission has made clear that such disclosures may include information regarding cybersecurity risks or incidents. The SEC has provided guidance on what cybersecurity-related disclosures should be made, and companies have tried to follow the SEC’s guidelines when making such disclosures following a cybersecurity incident. But to what extent must a publicly-traded company disclose information regarding its cyber insurance coverage?
SEC Guidance in Disclosures Regarding Cyber Insurance
On October 13, 2011, the SEC’s Division of Corporation Finance released CF Disclosure Guidance: Topic No. 2—Cybersecurity. See https://bit.ly/3yHGlKP. This Guidance provides the Division’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents. The Guidance acknowledges there are “no existing disclosure requirements explicitly refer[ring] to cybersecurity risks and cyber incidents, [but] a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.” The Guidance also explains “material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.”
The Guidance points out, among other things, the risk factor disclosures required under Item 503(c) of Regulation S-K and explains that cybersecurity risk disclosures must “adequately describe the nature of the material risks and specify how each risk affects the registrant.” The Guidance specifically states that appropriate disclosures may include a description of relevant insurance coverage.
On February 21, 2018, the SEC published interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. Under the Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release Nos. 33-1049; 34-82746, the SEC elaborates on disclosing risk factors that make investments in the company’s securities speculative or risky. See Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release Nos. 33-1049; 34- (Feb. 21, 2018), https://bit.ly/3fPm11p. In evaluating risk factor disclosures, the SEC suggests companies consider, among other things, “the costs associated with maintaining cybersecurity protections, including if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers….”
The Release also discusses disclosure regarding managements’ discussion and analysis of financial conditions and results on operations required under Item 303 of Regulation S-K and Item 5 of Form 20-F. Companies are required to discuss events, trends, or uncertainties that may have a material effect on the company’s financial condition or results of operation. The SEC explains that costs associated with cybersecurity issues, such as costs associated with implementing preventative measures, maintaining insurance, and responding to litigation and regulating investigators, could inform a company’s analysis.
Examples of Public Disclosures Regarding Cyber Insurance
Although there do not appear to be any prior lawsuits or enforcement actions regarding disclosure of cyber insurance coverage, the SEC does indeed monitor where disclosure of such information may be necessary. For example, on February 13, 2014, in its Registration Statement on Form S-1, Alion Science and Technology Corporation disclosed that “[a]n unauthorized party was able to gain access to our computer network in a prior fiscal year.” Alion Science and Technology Corporation, Registration Statement (Form S-1), https://bit.ly/3fTwc5j. In a March 12, 2014 letter, the SEC requested, “[s]o that an investor is better able to understand the materiality of the cybersecurity incident,” that Alion revise the disclosure and further describe its cyber insurance policy, including material limits on coverage. Letter from Pamela A. Long to Kevin Boyle (Mar. 12, 2014), https://bit.ly/3g4LW5B. In an amendment filed March 26, 2014, Alion revised its Form S-1 accordingly, explaining that Alion has a claims-made errors and omissions policy that has a $10 million aggregate policy limit and a $2 million unauthorized access expense sublimit subject to a $250,000 deductible. See Alion Science and Technology Corporation, Registration Statement (Amendment to Form S-1), https://bit.ly/3wE8OiU. Alion explained the policy includes coverage against liability arising out of a failure to protect against unauthorized access to their computer network. The policy covered reasonable and necessary expenses incurred by Alion in connection with the incident and the policy expires in October 2014.
The Home Depot, Inc. disclosed information regarding its cyber insurance coverage following its 2014 data breach. In its November 2, 2014 Form 10-Q, Home Depot disclosed that “[t]he Company maintains $100 million of network security and privacy liability insurance coverage, above a $7.5 million deductible, to limit the Company’s exposure to losses such as those related to the Data Breach. As of November 2, 2014, the Company has recorded a receivable of $15 million for costs the Company has incurred to date that it believes are reimbursable and probable of recovery under its insurance coverage.” See The Home Depot, Inc., Quarterly Report (Form 10-Q) (Nov. 4, 2014), https://bit.ly/34WEcxb. Subsequent filings from Home Depot would go on to provide thorough information for investors on expenses incurred and expected insurance recoveries from the data breach.
Blackbaud, Inc. is the most recent company to provide disclosures regarding its cyber insurance. In May 2020, Blackbaud fell victim to a ransomware attack. In its November 3, 2020 Form 10-Q, Blackbaud explained that it incurred significant costs associated with the security incident, and Blackbaud began providing information on receivables for probable insurance recoveries related to the security incident. See Blackbaud Inc., Quarterly Report (Form 10-Q) (Nov. 3, 2020), https://bit.ly/3fNdVX6. Additional information was provided in Blackbaud’s more recent 10-K, and Blackbaud further explained that it expects insurance to cover a substantial portion of the costs. See Blackbaud Inc., Annual Report (Form 10-K) (Feb 23, 2021), https://bit.ly/2Te4iZS. The SEC has yet to make any public requests for additional information from Blackbaud.
Tips on Disclosing Cyber Insurance Information to the Public
A company’s entire cyber insurance policy does not need to be provided to the public, but investors should be made aware of the general coverage provided by the policy as well as the material limits to that policy. What exactly should be disclosed will vary depending on the cybersecurity incident involved. Companies should closely follow the guidance provided in the SEC’s CF Disclosure Guidance: Topic No. 2—Cybersecurity and Commission Statement and Guidance on Public Company Cybersecurity Disclosures. But the SEC’s guidance and recent companies’ disclosures following a cybersecurity incident suggest that, at a minimum, information on (1) the applicable limits of liability; (2) the deductible; and (3) a brief description of what is covered under the policy should be shared. Keeping shareholders up to date on expenses and expected insurance recoveries should also be considered.