It's a Sizzling Summer at the SEC as Final Rules for Public Company Cybersecurity Disclosure Are Adopted

Highlights of the SEC's final rules on cybersecurity disclosures

The following are the key points in the SEC's final rules document, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.³

Material cybersecurity incidents disclosure

Public companies are required to disclose, using Form 8-K new Item 1.05, any cybersecurity incident that they determine to be material within four business days of determining materiality.³ This disclosure must include the nature, scope and timing of the incident, and the material impact — or reasonably likely material impact — of the incident on the reporting company's financial condition and operations.

In the final rules document, the SEC declined to define "materiality," but advised that the standard is consistent with cases addressing materiality in the securities laws. The SEC continued, "...information is material if 'there is a substantial likelihood that a reasonable shareholder would consider it important' in making an investment decision, or if it would have 'significantly altered the total mix of information made available.'" The final rules elaborate that in assessing materiality companies need to do so "through the lens of the reasonable investor."

According to the final rules, "Registrants must determine the materiality of an incident without unreasonable delay following discovery of that incident." The four business days is from the date that materiality is determined, not from the date that the cyber incident is discovered.

The exception: Filing the disclosure on Form 8-K may be delayed by 30 days or more if the US Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.

"Without unreasonable delay": The SEC seeks timely information to be provided to investors. Although a company may not have complete information about a cyber incident, if that company has enough information to determine whether the incident is material, a disclosure is required notwithstanding the need for a continued investigation. The SEC cites two examples of circumstances that constitute an unreasonable delay in determining materiality to forestall a timely disclosure: deferring committee meetings beyond the normal time it takes to convene, and revising existing incident response policies and procedures at the time of the incident.

Effective date: Compliance with the disclosure requirements for cyber incidents commences 90 days following publication in the Federal Register or December 18, 2023 — whichever is later.

Cybersecurity risk management and strategy disclosure

Public companies are now required to disclose a description of their processes for assessing, identifying and managing material risks from cybersecurity threats on Form 10-K Item 1.06(b).³ This disclosure includes whether any risks from cybersecurity threats — including as a result of previous cybersecurity incidents — have materially affected or are reasonably likely to affect the company.

Effective date: All public companies must provide these disclosures beginning with annual Form 10-K reporting for fiscal years ending on or after December 15, 2023.

Corporate governance disclosure — the board and management

Public companies are now required to annually disclose on Form 10-K Item 1.06(c) a description of the board of directors' oversight of risks from cybersecurity threats, including any specific board committee or subcommittee delegated this oversight task.³

Disclosure must describe management's role and expertise in assessing and managing material risks from cybersecurity threats, including:

• Identifying which management positions or committees, if any, are responsible for assessing and managing such risks and the relevant expertise of persons involved. The final rules don't require disclosing whether any member of the board of directors has cybersecurity expertise.
• Describing how the designated responsible persons or committees are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents.
• Disclosing whether such committees or persons report information about cyber risks to the board of directors or a committee or subcommittee of the board.

Effective date: All public companies must provide these disclosures beginning with annual Form 10-K reporting for fiscal years ending on or after December 15, 2023.

The Hot Seat Just Got Hotter for Board Directors and the c-suite

Board directors and senior level officers must digest and execute the final rules at warp speed. In less than six months, they must establish procedures to assure compliance — a process that requires a company's time, money and human resources.

Failure to comply with the SEC's new cybersecurity disclosure rules presents a host of consequences, including but not limited to:

• Increased regulatory scrutiny and investigations
• SEC enforcement actions
• Non-fraud disclosure violations
• Shareholder derivative litigation alleging failure to discharge fiduciary duties
• Securities class actions resulting from stock drops
• Damage to a company's reputation

Premature or inaccurate disclosures not only invite scrutiny from the SEC and the plaintiffs' bar, but may also catapult the cyber and governance worlds into a head-on collision that allows cyber threat actors to broaden their attack. Public disclosure of a cyber incident could provide intelligence to cyber criminals, who may still be lurking in a company's computer system, enabling them to do additional damage to a company. Compliance versus fighting a continuous cyber attack may place board directors and senior level officers in a particularly precarious position.

Although the SEC has clarified that the final rules don't require companies to disclose sensitive information about cybersecurity incidents, the aggressive four-business-day timeline for disclosure may lead some public companies to act otherwise. They may rush to disclose a cyber incident that's perceived as material without knowing that the attack is more expansive than originally thought. Plaintiffs' lawyers may likely claim that such hurried disclosures were misleading, while cybercriminals capitalize on the disclosure. Caught in this web, board directors may be tempted to overstep their bounds into the daily operations of the companies they serve instead of staying in their lane of responsibility to provide oversight to the company.

The hot seat cools off a bit with this guidance:

• Broaden appropriate cybersecurity expertise at all levels of the company. For example, enhance the cyber literacy of board directors with training from internal or external experts, to help the board know what questions to ask management to gain a comprehensive view of the company's cybersecurity.⁴
• Develop an understanding of the cybersecurity disclosure requirements and concepts in the final rules. which includes educating the company's IT team about the meaning of materiality under the securities laws.⁵
• Ensure that the board of directors and the C-suite regularly discuss with the Chief Information Security Officer (CISO) the company's computer system vulnerabilities that would result in significant financial and/or reputational impact. Seek recommendations from the CISO for prioritizing cybersecurity needs and processes.⁴
• Implement disclosure controls and procedures to comply with requirements, particularly related to determining materiality and preparing disclosures. Where disclosure controls already exist, update them to capture information from every department within the organization.⁵
• Evaluate and adjust cybersecurity incident response plans and procedures, which should be integrated with disclosure requirements Include a process to determine whether an incident is material, requiring disclosure.⁵
• Build and reinforce clearly defined escalation processes that allow the board of directors and C-suite to be alerted to cybersecurity matters periodically and on an ad hoc/critical basis.⁶
• Create a board committee specifically responsible for cybersecurity oversight and establish a board disclosure committee.⁴
• Consider the way in which risk management and governance processes will be disclosed and whether those processes require revision.⁶

A united front: Bringing it all together

Although the primary focus of board directors and C-suite officers is to always act in the best interests of the companies they serve, the layer of cyber liability blanketing Directors' and Officers' (D&O) liability presents novel complications. As such, compliance with the final rules presents a formidable challenge for public companies. Equally critical is the protection available to these companies if they become investigation or litigation targets.

In this regard, public company D&O Liability insurance is designed to provide personal asset and balance sheet protection for individuals and the company. This insurance covers claims — including investigations and regulatory proceedings — by shareholders and regulators alleging:

• Breaches of fiduciary duties in the running of the company
• Fraud
• Violations of securities laws
• Mismanagement
• Lack of compliance
• Disclosure of false and misleading information
• Misrepresentation of company assets
• Related allegations

The majority of consequences that could befall the publicly traded company for compliance failures can be captured within the D&O Liability Insurance net. Nonetheless, allegations regarding data security breaches, computer system failures, business interruption, privacy violations and many assertions of financial losses incurred as a result of a cyber attack — including cyber-attack-related regulatory activity (distinct from cybersecurity-related shareholder legal actions) — are excluded from coverage on the public company D&O Liability insurance policy. Most often, coverage is afforded on a Cyber Liability insurance policy.

Although Cyber and D&O insurance are dramatically different in purpose and scope of coverage, under these new SEC final rules for the next generation, the interlocking of Cyber and D&O insurance may present protection for board directors, the C-suite and the company as we move into a new age.

As with every such collision, there is the dawn of a new era, which passage of the SEC final rules represents. Reviewing your D&O and Cyber insurance policies is vital to prepare for the events to come.

Gallagher's Management Liability Insurance practice stands ready to assist.

Sources

¹"SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies," US Securities and Exchange Commission, 26 Jul 2023.

²Gensler, Gary. "Statement on Public Company Cybersecurity Disclosures," US Securities and Exchange Commission, 26 Jul 2023.

³"Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure," US Securities and Exchange Commission, 26 Jul 2023.

⁴Atkins, Betsy. "SEC Adopts New Cybersecurity Disclosure Rules," Forbes, 27 Jul 2023.

⁵"US SEC Public Company Cybersecurity Disclosure Regulation Finalized With Swift Effective Date," Sidley, 31 Jul 2023.

⁶"SEC Adopts Final Rules for Public Companies Relating to Cyber Incident Disclosure and Cybersecurity Risk Management, Strategy and Governance Matters, Simpson Thacher, 27 Jul 2023. PDF download.

See also

Bankston, Kaylee Cox, et al. "Although Scaled Back, the SEC's Newly Adopted Cybersecurity Disclosure Rule Will Require Significant Effort by Public Companies to Comply, Goodwin, 28 July 2023.

Fact Sheet: Public Company Cybersecurity Disclosures; Final Rules," US Securities and Exchange Commission, 26 Jul 2023.

"SEC Adopts Final Rules on Public Company Cybersecurity Disclosures," Ropes & Gray, 28 Jul 2023.

Disclaimer

The information contained herein is offered as insurance Industry guidance and provided as an overview of current market risks and available coverages and is intended for discussion purposes only. This publication is not intended to offer legal advice or client-specific risk management advice. Any description of insurance coverages is not meant to interpret specific coverages that your company may already have in place or that may be generally available. General insurance descriptions contained herein do not include complete Insurance policy definitions, terms, and/or conditions, and should not be relied on for coverage interpretation. Actual insurance policies must always be consulted for full coverage details and analysis.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organizations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher Risk Management Services, Inc. (License No. 0D69293) and/or its affiliate Arthur J. Gallagher & Co. Insurance Brokers of California, Inc. (License No. 0726293).

© 2023 Arthur J. Gallagher & Co. All rights reserved.