On July 26th, 2023, the Securities and Exchange Commission (SEC) announced new cybersecurity rules for registered companies. The new rules require public companies to disclose cyber security breaches to the market, four days following the determination that the breach was material. Specifically, the rules require these companies to disclose the nature, scope, timing of the incident and its likely material impact on their organization.
Incident Disclosure requirements are a key aspect of the SEC’s new regulations. Businesses must report any cybersecurity incident within the given time frame. The agency sees disclosure of these incidents as important in protecting an organization’s reputation and facilitating a quick response to mitigate damages.
“These incident disclosure requirements would provide assurance to clients and stakeholders that steps are taken to protect sensitive information, and this is essential to maintaining trust. “Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors.” -SEC Chair Gary Gensler
Under the new rules, every firm must outline a strategy that provides guidelines on identifying, assessing, mitigating, and communicating cybersecurity risk. On an annual basis, the regulations require companies to disclose material cybersecurity incidents they experience and material information regarding their cybersecurity risk management/governance. Included in this annual disclosure is the planned oversight of Cyber exposures by the Board of Directors.
As cyber threats continue to evolve, the importance of risk management and adequately securing information systems cannot be overstated. By implementing cybersecurity risk management programs, businesses can better identify, mitigate risk, and adapt to changing circumstances to achieve their cybersecurity objectives.
- The SEC’s new rules increase the importance for public companies to maintain excellent Cyber and D&O Insurance policies as part of their insurance portfolios, as they provide coverage for certain costs related to regulatory investigations.
- Cyber Insurers require insureds to have reliable high-level cyber security procedures in place in order to issue policies. They have a great deal of expertise to share, thus, it is essential to work with them to make certain that risk management of these issues is up to date.
- In order to comply with the level of supervision that both Insurers and the SEC require, it is important for companies to make certain they have open communication between corporate functions such as IT, regulatory, and Legal. When issues are raised, they are evaluated as soon as possible.
For more information about what your Board of Directors should be reviewing, view our detailed recommendations here.