On March 9, the SEC voted to propose significant new rules that would enhance and standardize public company disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting.
If ultimately adopted, the rules will put additional compliance burdens and reporting obligations on public companies that they will need to be prepared for. It would also make the need for robust Cyber Insurance even more significant, as investors will view cybersecurity as a material risk. Our practice is analyzing these impacts and positioning ourselves to provide the necessary insights and advice.
In adopting the proposal, the SEC cited the growing threat of serious cybersecurity attacks and the utility of consistent and comparable cybersecurity information for investors to more efficiently allocate capital. The new rules would apply to all public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.
The proposal would impose two new types of disclosure requirements: (1) disclosure of cybersecurity incidents and (2) disclosure of cybersecurity risk management, strategy, and governance. The rules are open for public comment until the later of May 9, 2022, or 30 days after publication of the proposal in the Federal Register.
The most notable requirement of the proposal is that it requires companies to disclose information about a “material cybersecurity incident” within four business days after determining that the incident is material. The proposal defines “material” by the standard applicable to other securities laws: namely, whether “there is a substantial likelihood that a reasonable shareholder would consider it important.” The proposal includes specific information companies would be required to disclose about any material cybersecurity incident.
In addition, the proposal would also require companies to provide any material changes or updates to previously disclosed cybersecurity incidents. Disclosure would be required “when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate.”
Apart from the cybersecurity incident reporting, the proposal would require “enhanced and standardized disclosure on registrants’ cybersecurity risk management, strategy, and governance.” As to risk management and strategy, it would require companies to adequately describe the procedures they have in place, if any, for the “identification and management of risks from cybersecurity threats.”
Companies would also have to describe their board’s “oversight of cybersecurity risk,” including identifying which board members or committees oversee cybersecurity risks and the frequency with which the board discusses cybersecurity risks.
Outside of the boardroom, the proposal would also require disclosure of how the company’s management assesses cybersecurity-related risks, including a description of the persons or committees managing cybersecurity risk and a description of the expertise of any chief information security officer, as well as to disclose information about the cybersecurity expertise of members of the board of the directors, if any.
In a public address earlier this year, SEC Chair Gary Gensler outlined six areas where he had asked SEC staff to consider cybersecurity-related regulations. With the announcements of proposed SEC rules affecting public companies and previously-announced rules for investment advisers, there remains a strong possibility of further cybersecurity proposals addressing broker-dealers, Regulation SCI, Regulation S-P, and third-party financial service providers.
In other words, there is almost certainly much more to come. As a result, it is imperative for companies to review their Cyber Insurance strategies sooner rather than later to be prepared for the potential impacts of these sweeping new regulations in the field.
Want to learn more?
Find me on LinkedIn, here.
Connect with the Risk Strategies Cyber Risk team at cyber@risk-strategies.com.
Email me directly at rrosenzweig@risk-strategies.com