On July 26, the SEC released new rules requiring registered companies to “disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance.”
These major new rules for SEC-registered companies go into effect December 1, 2023. Review the SEC press release and fact sheet.
Notable Requirements
The new rules require public companies to:
- Disclose material cybersecurity breaches within four days after determining that an incident was material. A material incident is one that is likely to have a significant impact on the insured’s business, financial condition or operations.
- Disclose information about the board of directors' oversight of cybersecurity risk. This includes information about the board's role in assessing and managing cybersecurity risk, as well as the board's expertise in cybersecurity.
- Disclose the nature, scope and timing of the incident; the incident’s likely material impact to their organization; and their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats. Companies will also need to report on ongoing or completed remediation efforts in their annual 10-K filing.
Why the New Rules
In addition to reiterating that “cybersecurity threats and incidents pose an ongoing and escalating risk to public companies, investors and market participants” – and, for stakeholders, the growing costs that come with these incidents – the SEC noted that a number of factors are exacerbating this risk. These factors include “the digitalization of registrants’ operations, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments and the increasing reliance on third-party service providers for information technology services.”
SEC Chair Gary Gensler said: “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies and the markets connecting them.”
Actions to Take
No company is exempt from a potential cyber incident, so reviewing cybersecurity strategies at least annually should be a priority for every business.
In the context of the new SEC rules, public companies should immediately review their cyber-risk preparedness, mitigation protocols, incident response plans and coverage. They should also take steps to confirm their board of directors is aware of what’s in place and who is overseeing it.
Conduct a tabletop exercise. Tabletop exercises are a great way to test a company’s incident response plan and ensure all proper players know their role in the event of a breach. Your tabletop should include action plans in line with the new SEC rules.
Note: Many insurers offer tabletops as part of their policy premium.
Before issuing or renewing insurance coverage, insurers now need to ensure that businesses meet specific cybersecurity standards. NFP’s Management, Cyber and Professional Liability team continues to collaborate with clients to conduct these reviews and align cybersecurity solutions/insurance coverage with potential vulnerabilities and the new SEC rules. Please reach out to your cyber broker early to prepare and explore various cybersecurity solutions, including many which may be part of your insurance policy. NFP’s Cyber team can be contacted directly at NFP Cyber Panel
Additional Resources
- Final rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
- Divided SEC adopts controversial cybersecurity disclosure requirements | Bryan Cave Leighton Paisner (bclplaw.com)
- SEC Adopts New Cybersecurity Disclosure Rules (forbes.com)
- New SEC rule requires public companies to disclose cybersecurity breaches in 4 days | AP News