The Securities and Exchange Commission (SEC) has finalized new rules that impact cyber incident disclosure protocols. These new SEC guidelines will require publicly-traded companies to disclose all cybersecurity incidents within four business days of determining an event could have a “material” impact on company financial performance. This refinement is designed to improve transparency around cybersecurity risks . It will also help investors to make informed decisions, but some challenges for cyber underwriters remain.
New SEC guidelines improve cyber risk transparency
The final SEC rule on cybersecurity disclosure marks a departure from strict guidelines, adopting a more adaptable, principle-based approach to articulate risk management. This shift allows companies the freedom to implement diverse strategies, keeping up with the dynamic and ever-changing adversarial threats. The new approach ensures companies are better equipped to handle cybersecurity challenges effectively. This is because public companies can foster adaptive programs that can swiftly pivot in response to emerging risks.
The rules also include a carve-out for incidents that may pose risks to national security or public safety. This adds a necessary precaution, recognizing that certain cybersecurity issues extend beyond the company’s operations. This thoughtful safeguard balances the imperative of disclosure with the protection of critical interests.
Moreover, the requirement to disclose positions or committees responsible for managing cyber risk fosters transparency. This rule ensures that investors have access to crucial insights into the company’s cybersecurity framework.
Additionally, the retention of the 4-day timeline for incident reporting, with a focus on material impact (i.e. on investors), streamlines the disclosure process, enabling companies to report only the most relevant and significant incidents without unnecessary burdens.
Give Yourself The
Our CCIS certification is a mark of excellence that employers and recruiters want to see.
“Materiality” may cause unexpected cyber risk exposure
The new rules may not be straightforward to follow, causing delays to disclosure in practice. The definition of “material” is not always clear and may result in inconsistent disclosure practices. Additionally, determining the financial impact of a cybersecurity incident can be difficult, especially if it’s ongoing.
The level of detail required for disclosing cybersecurity risk management programs is also unspecified, leading to potential inconsistencies. In addition, publicizing cyber events too early could complicate forensic investigations and recovery.
The impact of the SEC guidelines on D&O policies
The new SEC rules on cybersecurity disclosure could increase D&O claim frequency, as directors and officers may be held liable for failing to disclose material cybersecurity incidents in a timely manner. Given the increasing complexity of cyber risks, this impact could, in turn, make it more difficult for insurers to assess and price D&O coverage. The resulting impact could be higher premiums or even the withdrawal of coverage altogether.
What can cyber insurance professionals expect now?
The SEC is expected to issue further guidance on these rules in the coming months. This should provide much needed clarity on determining materiality and the level of cyber risk management reporting.
However, the new guidelines demonstrate greater board-level awareness of the significant disruption of security breaches to business operations. This recognition of cyber risk as a business risk, rather than just a technical issue, is crucial as the cyber policy nears maturity.
Boost your career
Boost your salary
Stay Relevant with the Global Standard in accredited Cyber Insurance Certification.