New rules proposed by the U.S. Securities and Exchange Commission on cybersecurity and climate impact disclosures may generate more lawsuits that will generate claims against directors and officers policies, panelists said last Wednesday during the Professional Liability Underwriting Society’s conference.
“More disclosure, more securities litigation,” said attorney Noelle M. Reed, a partner with the Skadden law firm in Houston. “Any time you have more disclosure you’ll have plaintiffs scrubbing, looking for more claims.”
Reed and fellow panelist Doru Gavril, a partner with Freshfields Bruckhaus Deringer, said cyber disclosure rules proposed by the SEC in March may be counterproductive if not amended. The proposed rules would require public companies to disclose any “material cybersecurity incident” within four business days.
Gavril questioned the prudence of creating a specific deadline for reporting material incidents. SEC regulations require corporations to disclose to shareholders any incidents that could have a material impact on share value, but there are no specific time frames listed in the rules for other types of incidents.
He said he recently represented a client who grappled with an incident that may have generated a required disclosure under the new rules. He said typically managers are not immediately aware of a data breach, and if they are aware, it takes time to understand what data was compromised.
“It’s incredibly difficult know if you’ve been breached, when you’ve been breached and where you’ve been breached,” he said.
Sometimes, the U.S. Justice Department asks corporate leaders not to disclose cyber incidents because national security is involved, Gavril said. A rule requiring quick disclosure could work against the secrecy needed by law enforcement, he said.
Knowing whether an incident rises to the level of required reporting can also be tough call. Reed said she recently counseled a client who was hacked. “We had twice-a-day meetings to determine if the event is material.”
Also in March, the SEC proposed rules that would require public corporations to disclose climate-related risks. Reed said this may create an opportunity for activists investors to look for any misrepresentations. She said the SEC itself may take enforcement action.
“At some point the SEC may decide it has to do something because they are the ones who promulgated the rules.”
The SEC took 697 enforcement actions against corporations in fiscal year 2021 and collected $3.85 billion in penalties. That was down from 715 enforcement actions and $4.68 billion in penalties in 2020.
Gavril said if the climate disclosure rules are adopted, corporations will have to careful about making reckless “aspirational statements,” such as overly optimistic promises about reducing the business’ carbon footprint. He said if corporations state any goals, the board of directors needs to ensure they are monitoring those efforts and hearing updates on the progress. Detailed minutes of board meetings are imperative, he said.
Jack Flug, a managing director and claims and professional leader for Marsh, said the new disclosure requirements come a time when the D&O line has become more affordable for corporations. He said insureds currently are in a better position that underwriters. He said only two years ago, policyholders were finding it difficult to find any bargains.
“The market went up way too fast it went down just as quickly,” Flug said. It’s hard to judge what the real price ought to be.”
The PLUS conference took place last week at the Marriott Marquis Marina in downtown San Diego.
This article was originally published by Claims Journal, a sister publication of Carrier Management. Reporter Jim Sams in the editor of Claims Journal.