Author: John Doernberg

null

On July 26, 2023, the US Securities and Exchange Commission (SEC) adopted rules requiring certain cybersecurity disclosures from public companies. The rules require prompt disclosure of material cybersecurity incidents and annual disclosure of the details about corporate cybersecurity risk management, governance and strategy.

The final rules, as adopted, contain changes to draft rules issued in March 2022, which we discussed in our article "The SEC Is Introducing Aggressive Cybersecurity Regulations in 2022: What You Need to Know".

Here are some provisions of the SEC's final rules document, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,1 that may affect Cyber insurance and cyber risk management.

Mandatory cybersecurity incident disclosure

  • Public companies must file a public report with the SEC disclosing material cyber incidents within four business days of determining that the incident is material. While there's no set deadline for determining "materiality," companies must make this determination without unreasonable delay following the discovery of a cyber incident.
  • A "cybersecurity incident" extends to a series of related occurrences that may be material in the aggregate — for example, multiple incidents involving the same attacker or multiple attackers exploiting the same vulnerability.
  • Companies must "describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations."1
  • The SEC understands that companies may have reduced visibility into cyber incidents that occur on their vendors' and suppliers' networks. Companies' disclosures should be based on the information available to them: "The final Rules generally do not require that [reporting companies] conduct additional inquiries outside of their regular channels of communication with third-party service providers pursuant to those contracts and in accordance with registrants' disclosure controls and procedures." 1
  • The rules for reporting cyber incidents take effect the later of December 18, 2023 or 90 days after the rules are published in the Federal Register. Smaller reporting companies have an extra 180 days before the rules take effect.
null

Final Rules Adopted for Public Company Cybersecurity Disclosure

Check out our related article to learn more.

Learn More

Disclosure in annual reports

  • Companies must provide information about their processes for assessing, identifying and managing their material cybersecurity risks. They must also disclose whether, and to what extent, those processes have been integrated with their overall risk management practices. The final rules dropped various requirements contained in the proposed rules, including disclosures about companies' efforts to prevent, detect and recover from prior cyber incidents.
  • Companies must "describe the board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing material risks from cybersecurity threats." 1
  • Companies that engage third parties to assist in cyber risk management must disclose that fact and whether they have processes to identify and monitor the risks arising from the use of outside service providers.
  • The annual disclosures will be required for fiscal years ending on or after December 15, 2023.

The cybersecurity disclosure rules, Cyber insurance and cyber risk management

  • When there's a claim based on an alleged violation of the rules, companies should closely review all potentially applicable insurance policies to assess their potential coverage options. The facts of each situation will dictate where insurance coverage may be found.
  • The rules may have significant direct or indirect impact on many aspects of Cyber insurance, including coverage, claims, the placement process and risk management.
  • Coverage under Cyber insurance policies for claims relating to the rules — or to underlying incidents or risk management practices — will depend on both the wording of the relevant policy and on the particular facts and circumstances of the claims. Coverage for SEC cyber-related enforcement actions may depend on the nature of the allegations involved and on the evolving nature of the SEC's role relating to corporate cybersecurity practices.2
  • The rules magnify the importance of close communication and coordination among all corporate personnel and outside advisors involved in cybersecurity, IT, legal, financial, contracting, communications, investor relations and insurance matters. The SEC's previous enforcement actions over the adequacy of corporate disclosure controls highlight the importance of such communication and coordination.3, 4 Such communication and coordination are essential to ensuring that what is reported in a company's SEC filings aligns with what is being said and done elsewhere — including in Cyber insurance placement and claims handling processes. This impact may be the most significant on the various elements of Cyber insurance.
  • Certain cyber risk management practices may have to be updated. For example, companies' current cyber incident response plans and tabletop exercises may need updating to incorporate the materiality assessments necessary for them to comply with the rules' disclosure requirements.
  • The widespread availability of disclosures about corporate risk management processes for assessing, identifying and managing cybersecurity risks may also cause companies to feel some pressure to have practices — for example, relating to processes for monitoring the cyber risks from the use of third-party suppliers — comparable to those reported by their peers.5
  • Cyber insurers will undoubtedly review these disclosures in assessing the cyber risk management practices of companies they're evaluating and in handling claims. Some cyber insurance policies provide that the insured's application for insurance is deemed to incorporate the insured's public filings, or call for the insured's SEC filings to be submitted with the application and to become part of it. It's therefore possible that some insurers may question coverage for cyber claims on the grounds that disclosures in an insured's SEC filings constituted material misrepresentations that the insurers relied upon in granting coverage.

Gallagher's Cyber insurance team is very experienced at helping companies navigate all elements of the Cyber insurance process, from risk management to the cyber insurance process and claims handling and advocacy. Contact your Gallagher broker today to learn how we are helping clients in this changing environment.

Author Information

Sources

1"SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies," US Securities and Exchange Commission, 23 Jul 2023.

2For example, Kalsu, Bart et al. "SEC Alleges SolarWinds CFO, CISO Violated US Securities Laws," Bank Info Security, 26 Jun 2023.

3For example, "SEC Charges Issuer With Cybersecurity Disclosure Controls Failures," US Securities and Exchange Commission, 15 Jun 2021.

4For example, "SEC Charges Pearson plc for Misleading Investors About Cyber Breach,". US Securities and Exchange Commission, 16 Aug 2021.

5For example, Pierce, Hester M. Harming Investors and Helping Hackers: Statement on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure," US Securities and Exchange Commission, 26 Jul 2023.

Disclaimer

The information contained herein is offered as insurance Industry guidance and provided as an overview of current market risks and available coverages and is intended for discussion purposes only. This publication is not intended to offer legal advice or client-specific risk management advice. Any description of insurance coverages is not meant to interpret specific coverages that your company may already have in place or that may be generally available. General insurance descriptions contained herein do not include complete Insurance policy definitions, terms, and/or conditions, and should not be relied on for coverage interpretation. Actual insurance policies must always be consulted for full coverage details and analysis.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organizations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher Risk Management Services, Inc. (License No. 0D69293) and/or its affiliate Arthur J. Gallagher & Co. Insurance Brokers of California, Inc. (License No. 0726293).
© 2023 Arthur J. Gallagher & Co.