Last month, the U.S. Securities and Exchange Commission (SEC) released updated requirements for reporting cybersecurity incidents. These regulations mandate that all publicly traded companies disclose “material” cyber events within four days of their discovery. The new SEC cybersecurity rules will take effect on December 15 for most organizations. Smaller entities will have until June 2024 to comply.
Many large SEC-registered companies (“registrants”) have already adopted these reporting practices. However, smaller and mid-sized companies may need to take considerable measures to comply. For many registrants, these changes will have a significant impact on cyber and directors & officers (D&O) liability insurance coverage. Understanding these new regulations is the first step to ensuring your organization is compliant and protected against cyber threats.
In an effort to “enhance and standardize” cybersecurity reporting, the final ruling submitted by the SEC requires registrants to:
1. Report any material cybersecurity incident on Item 1.05 of Form 8-K: Organizations must make these disclosures within four days of becoming aware of the incident. The disclosure must articulate the attack’s nature, scope, and timing, as well as the “impact or reasonably likely impact.” This includes the effect of the attack on the company’s operations, finances, reputation, customers, vendors, and any potential for ensuing litigation. Registrants can apply for extensions if they believe disclosing the event would compromise national security or public safety.
2. Describe the registrant’s process for identifying, assessing, and managing cybersecurity risks on Item 106(b) of Form 10-K: Registrants will make these disclosures annually to detail their strategy for identifying and mitigating any potential cyber threats. This includes discussing whether the organization has implemented an internal cybersecurity department. Further, registrants must note if they sought third-party consultation regarding cyber risks. And the form asks whether the business has a continuity plan in the event of a cyberattack.
3. Disclose the registrant’s board oversight of cybersecurity risks on Item 106(c) of Form 10-K: In this annual disclosure, registrants will outline cybersecurity oversight maintained by their board of directors or internal cyber committee. Registrants will state:
On their own, these developments will not require your organization to devote a certain amount of money or personnel to cybersecurity. However, many businesses are taking a fresh look at their cyber defenses in response to these SEC cybersecurity rules.
Cyberattacks and their related data breaches pose considerable financial and reputational risks to investors, employees, and customers. To avoid the costly fallout of disclosing a cyberattack, it’s vital to adopt robust cybersecurity strategies. As cyberattacks increase in frequency and intensity, strengthening cyber defenses becomes a crucial part of doing business.
While the SEC’s final ruling contains considerable detail, some aspects are open to interpretation. The SEC states several times that registrants must reveal the scope and harms of attacks “without unreasonable delay.” The ruling modified the language from "as soon as reasonably practicable." The modification prevents companies from feeling pressured to draw conclusions about incidents without sufficient information. Still, some registrants wonder what exactly constitutes an “unreasonable” delay.
Likewise, the terms “significant” and “material” describe cyberattacks that require reporting on Form 8-K. However, the ruling does not provide a definition or threshold to explain what constitutes a “material” cyberattack. Instead, the SEC urges registrants to report an event as material if there is a “substantial likelihood that a reasonable shareholder would consider it important.”
Future court rulings will inform organizations on how to interpret the SEC’s terms. For now, you can best respond by maintaining ardent cybersecurity standards. Additionally, report any event that could be deemed important to investors.
Protecting your systems, networks, and programs from digital attacks is not cheap. But in an increasingly tech-dependent world, effective cybersecurity systems are crucial to business resilience. When you have strong cybersecurity measures in place, you’ll do more than just appease the SEC. You will demonstrate your organization prioritizes the safety and security of customers and investors.
Review your organization’s current procedures for addressing cybersecurity incidents and consider improving your cyber strategy where applicable. Also, revisit the contracts and incident response processes of any third-party providers you work with — including cloud vendors, payroll services, and others. If a third-party working on your behalf experiences a data breach, you may have liabilities and reporting responsibilities even though the breach wasn’t in your system.
Finally, reread your cyber and D&O insurance policies to ensure they meet your current needs. At renewals, examine the policy language carefully, not just the rate change. Your broker can walk you through what’s new, as well as how to improve your cyber risk profile. Fortifying your cybersecurity strategy may help your organization qualify for better rates and terms.
Find Allen Blount on LinkedIn, here.
Connect with Risk Strategies Cyber Risk team at cyber@risk-strategies.com.
About the authors
Allen Blount leads the Cyber Team at Risk Strategies, where he guides organizations on cyber liability insurance and cyber risk management. Before his insurance career, he practiced law.
Alex Maza specializes in developing executive liability programs. With over 28 years of experience, he consults on directors and officers (D&O) liability, employment practices liability, professional liability, fiduciary liability, and crime insurance.