Companies typically take a multi-layered approach to managing cyber risk, which includes building internal cybersecurity programs to mitigate risk, accepting risk where it falls within the business’ risk appetite, and transferring a portion of risk to cyber insurance providers. This blog post analyzes 10-K and 8-K SEC disclosures for references to cyber insurance. It distills the analysis into key takeaways for public company executives, board members, Chief Information Security Officers, and disclosure committees.
The Pros and Cons of Publicly Disclosing A Company Maintains Cyber Insurance
Publicly disclosing in your regulatory filings whether a company maintains cyber insurance is a nuanced decision that should be based on a thorough risk assessment and weighing of the pros and cons.
The crux of the debate is building trust and transparency versus highlighting a potential avenue of exploitation for attackers.
Building Trust and Transparency: Publicly disclosing that your company maintains cyber insurance coverage demonstrates transparency to investors, customers, partners and other stakeholders. It signals that your organization is taking proactive steps to transfer and mitigate cyber risk exposure. This can help build trust and confidence in your cybersecurity posture.
Highlighting a Potential Avenue of Exploitation: Disclosing cyber insurance coverage could motivate threat actors to view your company as a more lucrative target for a cyber attack or extortion attempt, with the knowledge that your organization has the ability to claim against a cyber insurance policy.
What does the Data Say?
Today, the vast majority of companies do not disclose that they maintain cyber insurance in the Cybersecurity item 1c section of annual 10-Ks. Only 24% (1051 of 4451) of 10-K Annual Report filings between December 15, 2023 and June 10, 2024 reference maintaining cyber insurance.
The top sectors disclosing they maintain cyber insurance are utilities (36%), industrials (29%), and consumer cyclical, consumer defense, and healthcare all at 28%.
The sectors with the least number of references to maintaining cyber insurance are energy and financial services around 18%. There’s an interesting divergence in approach across critical infrastructure sectors including utilities, energy, and financial services with utilities being the most likely to disclose, and energy and financial services some of the least likely to disclose.
The limited disclosure of cyber insurance likely means one of three things:
- Companies have decided that the risk of highlighting a potential avenue of exploitation outweighs the benefit of transparency
- Companies have not deliberated over the pros and cons
- Companies have chosen to self-insure
Is it any different for companies with Higher Revenue?
The disclosure data shows that the biggest companies in the U.S., those with $10B+ in revenue, have adopted a different approach. 84% of these companies (88 of 105) have opted to disclose they have cyber insurance coverage.
The approach, however, becomes a little more nuanced at the top of the food chain. For companies with $100B+ in revenue, only 26% (6 of 23) of companies disclose they have cyber insurance. None of the 5 Communication Services companies (Alphabet, Meta, etc) nor the 2 largest Financial Services companies (JPMorgan, Berkshire Hathaway) disclose whether they maintain cyber insurance. We also know from the Congressional hearing on UnitedHealth that the healthcare behemoth was self-insured.
What about Incident Disclosures?
Since the SEC’s new cyber rules took effect December 15, 2023, there have been 26 8-K incident disclosures. Of the 26 disclosures, only 1 references cyber insurance and the likelihood of recoveries.
Company | Filing Date | Insurance Reference |
---|---|---|
BRANDYWINE OPERATING PARTNERSHIP, L.P. | 2024-05-07 | “The Company currently expects that a substantial portion of its direct costs incurred relating to containing, investigating and remediating the cybersecurity incident will be reimbursed through insurance recoveries.” |
What are the takeaways?
Even without visibility into internal risk management and disclosure review processes, it’s still possible to draw five key conclusions on the cyber insurance disclosure data:
- There is no standard approach to disclosing if a company maintains cyber insurance in 10-K or 8-K filings, but the majority of companies do not disclose that they maintain cyber insurance coverage.
- As companies grow in size their disclosure approach shifts to more transparency until the mega-company level.
- At the mega-company level ($100B+ in revenue), the overwhelming majority of companies do not disclose whether they carry cyber insurance.
- An unknown quantity of companies, including United Health - a Fortune 5 company with a core competency and revenue stream in insurance, are choosing to self-insure for cyber risks.
- When companies disclose an incident, the vast majority do not share whether they have cyber insurance to recover costs.
When weighing whether to disclose cyber insurance coverage in public filings, there are several key factors companies should evaluate:
- Risk Exposure and Threat Landscape: Companies operating in sectors that are particularly rife with cyber threats or have heightened risk exposure may want to carefully consider the potential for disclosure to make them more of a target. Those in lower risk industries may have more flexibility.
- Insurance Coverage Adequacy: If your company’s cyber insurance coverage is relatively comprehensive with high limits, you may be more willing to disclose, but never disclose the actual amount of coverage you maintain.
- Disclosure Obligations and Governance: Established a consistent, well-governed disclosure philosophy as an organization and to handle cyber insurance is a good topic to review with counsel when finalizing your disclosures.
- Competitive Landscape: If peers and competitors are disclosing or not disclosing cyber insurance details, should your company follow the same approach?
While maintaining cyber insurance itself is prudent risk management for most companies, publicly disclosing it should be thoughtfully deliberated based on your sector, security posture, the insurance market conditions, and your overall disclosure philosophy and obligations as a public company.
Page last updated on June 19, 2024