On July 26, the SEC enforced rules mandating public companies to report cybersecurity breaches within four days of identifying a material incident.
The disclosure can be delayed up to 60 days if national security or public safety is at risk, as determined by the U.S. Attorney General. The rules require companies to detail the incident’s nature, scope, timing, and its potential impact.
Companies must also describe their processes for identifying and managing cybersecurity risks and disclose this in their annual 10-K filing for SEC registrants, and on the 20-K Form for foreign private issuers. These rules aim to address the increasing risk of network breaches in our digital world. This also must include a description of the board’s oversight of cybersecurity risks.
SEC’s new rules also require each public company, including a foreign private issuer, to describe in its annual report:
Regarding the new reporting obligations following a cybersecurity event, reporting must start within four days of determining a material breach, requiring strong cross-functional processes. The SEC has amended the final cybersecurity rules to not include a list with risk types and rather provide a reference of risks such as, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws, and reputational risk.
In summary: the SEC’s disclosure requirements for public companies are:
Preparing in advance is key to reducing costs in handling cyber incidents, allowing also for companies to feel safe in terms of possible future cybersecurity threats with a proper solution in place, as well as to comply with new regulations.
In determining if you are ready for these requirements, would you be able to answer the following questions:
Asian headquartered companies listed on US exchanges are equally subject to these new reporting laws. It is important to note the law change increases the potential scope of liability a company will face if it is found they have failed to adhere to the mandatory reporting obligations.
The proactive steps listed above are practical risk management steps to be prepared and informed on the new legal landscape, if you are a US-listed company. Part of proactive risk management includes a sound risk transfer solution - insurance.
WTW can help tailor a cyber risk transfer solution and coverage structures to suit your risk profile and business needs, and ensure that your organisation’s liability exposures are well protected amidst this new regulatory environment.
Title | File Type | File Size |
---|---|---|
SEC’s new Cybersecurity rules (and what they mean for US-listed Asian companies) | .2 MB |