The responsibilities of public company D&Os are constantly changing, many corresponding with demands for more social responsibility. The U.S. Securities and Exchange Commission (SEC) has new disclosure obligations regarding cybersecurity incidents, including annual disclosure of companies’ cybersecurity risk management. The SEC, the European Union, and the state of California also have requirements to be enforced on climate-related information disclosures.

These issues can lead to potential exposure, and growing government regulation is impacting the evaluations of underwriters, brokers, and adjusters related to these new and sometimes unique risks. Claims regarding data breaches and failure to meet carbon footprint expectations are becoming more frequent. Thus, D&O requirements involving cyber breaches and climate change are becoming increasingly prevalent. The presentation will address these areas of concern, going over litigation, liability exposure, and insurance issues related to them.

SEC Rules
One entity that has been active in increasing disclosure requirements for D&Os to consider has been the SEC. In July 2023, the Commission adopted rules requiring companies “to disclose both material cybersecurity incidents they experience and, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance.” As described by the SEC, the rules’ purpose is to “provide investors with timely, consistent, and comparable information about an important set of risks that can cause significant losses to public companies and their investors,” as well as “help investors evaluate those risks as they make investment and voting decisions.”

Since these SEC rules went into effect in December 2023, there have been more than a dozen disclosures by public companies. Some recent examples include Ticketmaster, which disclosed that a “criminal threat actor” offered to sell, what it alleged to be, Ticketmaster data on “the dark web,” and Frontier Communications, which disclosed that it “detected that a third party had gained unauthorized access to portions of its information technology environment.”

With the new SEC disclosure rule regarding cybersecurity incidents, a few issues have been raised. One is the limited exception where public companies are permitted to delay the disclosure, if they believe it will pose a substantial threat to national security and public security. For this exception, a written permission from the U.S. Attorney General must be granted. Part 1.05 was added to Form 8-K (known as a “current report,” companies must file Form 8-K with the SEC to announce major events that shareholders should know about) to require disclosure of a cybersecurity issue that is determined to be material. This issue as to what is material and what disclosure about a cybersecurity event potentially impacts national security is likely evolving and may be clarified by SEC officials in 2024.

Another issue raised with the new SEC rules is how bad actors may use this disclosure requirement to their advantage while the public company is still investigating a cyber incident. It was widely reported in November 2023, before the new SEC rules were in effect, that prolific ransomware group AlphV (a/k/a BlackCat) reportedly breached software company MeridianLink’s information systems. What made the incident unique is that AlphV subsequently filed a whistleblower tip with the SEC, seeking an investigation of the victim MeridianLink for failing to publicly disclose the cybersecurity incident. The goal of providing the SEC more transparency into investors has led bad actors to take advantage of this disclosure obligation. As this new SEC requirement for public companies to be more transparent with disclosure of cybersecurity incidents is addressed by companies and the SEC, it remains to be seen how it will evolve.

On a separate note, the SEC in March 2024 adopted new rules that require public companies to disclose climate-related risks annually, though those new rules have been stayed while they are being challenged in the courts. There are other specific regulations regarding climate change that are moving forward, including in California and the European Union.

California Provisions and EU Directive
The California provisions are the Climate Corporate Data Accountability Act – requiring annual reporting on covered entities’ greenhouse gas emissions, with three scopes based on direct and indirect emissions – and the Climate-Related Financial Risk Act – requiring entities to disclose on a biennial basis the climate-related financial risk and measures adopted to reduce and adapt to the risk.

Across the pond, the EU’s Corporate Sustainability Reporting Directive (CSRD) requires comprehensive and granular disclosures covering all sustainability topics. The CSRD embraces double materiality, compelling companies to report how sustainability matters affect their business development and their impact on sustainability matters.

These regulations fit in with the growing number of environment-based lawsuits, such as the KlimaSeniorinnen v. Switzerland matter, where the European Court on Human Rights in April 2024 found that Switzerland violated the right to respect for private and family life in failing to comply with its positive obligations under the Convention concerning climate change, and lawsuits in the United States such as Nicole Argenzio et al. v. Walmart Inc., where the company is challenging a description on a product label as "Reef Friendly" even though the active ingredients are known to be harmful to coral reefs. It also flows with those companies in North America and in Europe that are making voluntary disclosures on sustainability and climate changes such as HanesBrands, Gildan, Microsoft, Puma, and Siemens, to name a few.

The increased regulations in the United States and worldwide as to environmental concerns will continue to keep corporations thinking about their potential exposure to such laws and consumer actions.