New SEC regulations and its implications for companies in the LAC region: new cyber risks and liabilities.

Lessons learned from the new SEC Regulations

As has been reported on extensively, on 26 July 2023, the US Securities and Exchange Commission (SEC) adopted new rules requiring public companies to disclose material cybersecurity incidents they experienced as well as providing material information on an annual basis regarding their cybersecurity risk management, strategy, and governance. These rules came into effect on 18 December 2023.

It is generally understood that the SEC’s adoption of these new rules is seen as a response to the ever-present and escalating risk large-scale cyber-attacks and the systemic effects these attacks could have on the economy; as well as the financial impact that cybersecurity incidents can have on a company in terms of, among others, business disruption losses, ransom payments, and mitigation costs. For all these reasons and more, the SEC has determined that cybersecurity incidents are a significant risk to public companies, investors, and market participants.

As such, the SEC now requires publicly traded companies to disclose via Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact. The Form 8-K disclosure will generally be due four business days after a determination that the cybersecurity incident is material. In addition, publicly traded companies must also disclose material information regarding their cybersecurity risk management, strategy, and governance on an annual basis via Form 10-K.

These new regulations may raise a number of questions for your insureds in Latin America and the Caribbean (LAC) that are publicly traded in the US. Do these rules also apply to foreign companies listed on stock exchanges in the US as well? What makes a cybersecurity incident material or not? What concrete effects do these new regulations have on D&O/cyber insurance policies? We will delve into these questions below.  

Scope

These new reporting obligations also apply to foreign private issuers, although they must disclose via Forms 6-K and 20-F, rather than 8-K and 20-K. Whether disclosure is done via 8-K or 6-K, it requires disclosure of the nature of the incident, when it happened, its scope and the predicted future material impact on the company particularly in its financial and operational conditions.

Furthermore, these new obligations require an annual disclosure of the publicly listed company’s cyber security risk management and strategy. As such, the management's role in assessing and managing material risks as well as the implementation of the policies and procedures related to cybersecurity risks, would be under scrutiny when an incident occurs. This information has to be submitted via the annual 10-K (or 20-F if applicable).

It is clear that these obligations create a new avenue of liability, and—as will be discussed further below—possible D&O exposure, that foreign based issuers may not always have top of mind. Furthermore, complying with these regulations may have a large financial impact for companies. As such, it is important to assure that your publicly traded insureds understand and comply with these new reporting obligations so as to mitigate potential exposure.   

Materiality

While what makes something material or not is largely left undefined in the SEC rules, it has come to be defined by case law such as TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976), which ruled that an incident will be considered material if “there is a substantial likelihood that a reasonable shareholder would consider it important in making investment decisions.” Any analysis should focus on the totality of information from the perspective of a reasonable investor. Given that this is inherently a subjective analysis, we can expect that some controversies or discrepancies could arise around the application of the materiality test. These could include SEC investigations, as well as civil litigation cases and security class actions.

Lessons Learned

 One of the first reports of a material cyber incident was from bleach and cleaning product company, Clorox. On 14th August 2023, Clorox filed an 8-K notifying the SEC of disruption to its business operations due to a cybersecurity incident. Despite this report being very general, it emphasized the impact of the incident on Clorox’s Q1 2024 financial results. Clorox filed a second 8-K, a month later, confirming the materiality of the cyber incident given that the incident caused partial damage to Clorox’s IT infrastructure and the effect this had on their operations (e.g., order processing delays and elevated levels of product outage). The month-long period between the 8-Ks reflects how long it could take and the complexity of defining whether a cyber incident has a material impact and the extent of said impact. The short-term impact of filing the 8-K can be seen in the almost 10% decrease of Clorox’s share price following publication.

Most recently, VF Corporation, the owner of The North Face and Vans, filed an 8-K on 15 December 2023, stating that two days earlier, it detected unauthorized access on its systems and eventually suffered encryption of some of its systems and data exfiltration. Although its investigation is ongoing, VF Corporation has stated that it has filed its 8-K because the incident has “had and is reasonably likely to continue to have a material impact on the Company’s business operations.” 

Ironically, these reporting obligations have created a new risk for companies. There have been cases where the threat actors, who have extorted the companies after the initial incident, report their attack to the SEC if the victim refuses to pay the extortion.

A recent example of this was MeridianLink, a company that sustained an attack from the ALPHV ransomware group. The threat actors initially issued a ransomware note to MeridianLink giving them 24 hours to pay the ransom; if not ALPHV would publish the data that was supposedly exfiltrated. In order to increase the pressure, after no response from MeridianLink, the threat actors filed a complaint with the SEC, alleging the company did not disclose a cyber security incident that materially affected their operations within the required 4 days, thereby breaching the new SEC regulations. The threat actors published evidence of their complaint via their own website, sharing a screenshot of their complaint form to the SEC’s Tips, Complaints, and Referrals page.

MeridianLink issued a statement, confirming that they had identified a cyber security incident, and had acted to contain the threat immediately, hiring third-party forensic assistance to investigate the cost and the scope of the cyber incident. MeridianLink went on to say, however, that, through their own investigations they found no evidence of unauthorized access and only minimal business disruptions were caused. It is important to note that when these events occurred, the notification obligations were not yet fully in force. 

Effect on D&O/Cyber Insurance 

As mentioned above, these new regulations also apply to foreign private issuers, which could have an impact on companies in Latin America that are either already foreign private issuers or are considering being listed in the US. These organizations will now have to adhere to stricter standards and comply with the aforementioned SEC requirements, including implementing data breach policies and actively managing cybersecurity risk policies (and disclosing the same every year). As such, it is recommended that these organizations have at least one cybersecurity expert as a member of its board. 

The SEC regulation, and the significant impacts cybersecurity incidents can have, could lead companies, and their directors and officers, to be exposed not only to sanctions but also to litigation risk. As a result of the discrepancies regarding the materiality assessment and whether it was appropriate to disclose and whether this was done in a timely manner, we expect the incident disclosure requirement to be a source of litigation that may arise between variable stakeholders. Likewise, securities class actions may also arise due to decreasing share prices. 

Some of these risks may be mitigated via insurance and companies, as well as their directors and officers, will surely seek coverage for these potential discrepancies and claims. As expected, top management and chief information security officers (CISOs) are the roles that will shoulder most of the burden of complying with these regulations and therefore face more lawsuits or investigations concerning these matters. This will drive a greater need for D&O insurance it would ostensibly cover the errors and omissions allegedly committed by insured persons that lead to these follow-on actions. 

Some D&O policies include a broad cyber exclusion so as to avoid covering the typical claim covered under a cyber insurance policy and their consequences. However, when these broad exclusions were drafted these new kinds of claims that may arise against a company’s directors and officers were not considered. As such, it is important to review your D&O program to make sure that these actions following or emanating from a cybersecurity incident disclosure are potentially covered.

From the cyber insurance perspective, public companies will have to be more careful when disclosing their cybersecurity management, governance, and practices in their proposal forms as this information will now be publicly available. If one of these companies were to have a cyber incident, (re)insurers will likely review these initial applications and compare them to the publicly available information to make sure that there are no misrepresentations. The consequence for breaching the duty of fair representation varies from country to country; in Latin America the most severe consequence is the rescindment of the policy. This highlights the importance of having those responsible for compliance with the SEC’s new regulations be in close coordination with the risk managers that are usually responsible for the insurance application forms.

Some cyber insurance policies cover third-party privacy liability claims, which also cover privacy violations and consumer class actions, as well as the costs incurred by the company for complying with privacy regulations following a cybersecurity incident. This would include, for example, the cost incurred by the policyholder for hiring a legal firm to advise on complying with applicable privacy regulations, facing investigations from the SEC or other relevant regulators, or defending the policyholder from third-party claims. Public companies will have to ensure that the definitions included within cyber insurance policies, particularly the definition of privacy regulation, would encompass these new SEC regulations as they are not technically a data privacy or data protection regulation, which is what is usually covered under cyber insurance policies.  

These regulations just come to show how increasingly global and interconnected cyber risks can be and serve as a warning to our clients in Latin America and the Caribbean that new risks and liabilities can emerge from unlikely places. We at Kennedys can provide assistance to comply with these new regulations and with any cybersecurity incident that may arise.