The SEC adopts rules that require all public companies to disclose all cyber security breaches within four days if a cybersecurity incident is material.
|Financial, Executive and Professional Risks (FINEX)
N/A
On the heels of the SEC announcing back in March a package of policies designed to protect the financial system against cyber incidents, the commission adopted rules on July 26 to require all public companies to disclose all cyber security breaches within four days after a registrant determines that a cybersecurity incident is material. The disclosure may be delayed up to 60 days if the United States Attorney General determines that immediate disclosure poses a substantial risk to national security or public safety. Specifically, the rules require these companies disclose the nature, scope and timing of the incident, as well as its likely material impact to their organization.
Further, companies will be obligated to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats and disclose this, along with information about ongoing or completed remediation efforts, in their annual 10-K filing.
These rules were first proposed in March of 2022, when the SEC determined that breaches of corporate networks posed an escalating risk as the digitization of operations and remote work increased — and the cost to investors from cybersecurity incidents rose.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a statement, noting the current inconsistency in disclosures. Further, according to Lesley Ritter, senior VP at Moody’s, the rules will add more transparency and hopefully lead to improvements in cyber security defenses.
Insurance and cyber risk management implications
For all publicly traded companies regulated by the SEC, ensure regulatory coverage is part of your cyber insurance program. Typically, coverage for regulatory actions is included within the security and privacy liability insuring agreements. Such coverage will generally provide for the defense of regulatory actions, which often includes enforcement actions, and investigative subpoenas.
It is important to recognize that the clock doesn’t start ticking on the four-day window for reporting cyber breaches until companies have determined a breach is material. It is imperative to have strong cross functional processes in place within the organization to ensure that key stakeholders can quickly determine when a breach is material and how this should be reported as to the incidents “nature, scope and timing”. This determination will also be important to ensure that cyber incidents are timely reported to the company’s cyber insurance carrier so that late notice is not a barrier to coverage, as well as managing regulatory and other potential legal exposures arising from late or incomplete reporting.
In order to comply with the above rules, publicly traded companies must now be prepared to disclose their cybersecurity processes for “assessing, identifying, and managing material risks from cybersecurity threats” Additionally, the rule requires organizations to describe the Board of Directors’ role and expertise in assessing and managing material. While this likely includes incident response planning approaches, these processes also relate to the assessment of cyber incidents and their materiality on core business objectives. Again, this change makes it important that organizations, from the Board and C-Suite level down, are addressing and managing cyber risks proactively. These changes are aimed at making organizations more resilient when faced with a cyber security incident and a better risk when either first procuring or renewing cyber insurance policies. Effective governance processes, as well as carrying out Board and C-Suite level cyber incident tabletop exercises, will be critical in ensuring that organizations can comply with the new rules and requirements.
All cyber insurers now are requiring businesses meet specific cyber security standards to be eligible to purchase and renew cyber insurance. Such cybersecurity response plans may include:
the designation of a responsible individual for cybersecurity;
the placement of appropriate privileged access controls;
employee training, drills and exercises;
the implementation of technical and physical security controls; and
adequate record keeping and documentation procedures.
Conclusion
Managing cyber related vulnerabilities should be part of the operational resilience strategy of every organization, whether publicly traded or not. Preparing in advance is one of the best ways to reduce the cost of dealing with a major cyber incident. WTW can assist you in tailoring a cyber risk management solution and coverage to suit your risk profile and business needs and advise you on how to not run afoul of the SEC’s new rules. Additionally, the Cyber Risk Solutions Team can provide tailored consulting services (including C-Suite and Board level projects) that address the updated SEC rules and strengthen organizational cyber risk resilience.
Disclaimer
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.