Author: John Farley
In the first quarter, the SEC issued two significant proposals; one that mandates new disclosure requirements for all publicly traded companies and a second that focuses on cybersecurity controls in the financial services sector. The SEC has made these a priority as the escalating conflict in Ukraine raises concerns of heightened cyber risk to organizations around the globe.
According to the SEC's Statement on Proposal for Mandatory Cybersecurity Disclosure issued on March 9, 2022, all publicly traded companies will be required to adhere to the following two mandates, among other requirements.
- Mandatory cybersecurity incident disclosure. Material incidents must be reported on an 8-K form within four business days of the incident. Organizations would also be required to provide periodic updates about previous incidents. In addition, they would be required to report when "a series of previously undisclosed, individually immaterial cybersecurity events has become material in the aggregate."
- Required disclosures of company policies to manage cyber risks. Annual reports would have to outline a firm's policies for identifying and managing cyber risks and document whether any member of its board of directors has expertise in cybersecurity.
Commissioners voted 3-1 in favor of the proposal, which is expected to be finalized after the SEC receives feedback from the public in the coming weeks.
On February 9, the SEC announced that it seeks greater disclosure from advisors, hedge funds and private equity funds, which will be required to adopt written policies that are "reasonably" designed to address cybersecurity risks. They will also be required to report significant cybersecurity incidents and maintain cybersecurity-related books and records.
Cyber Insurance and regulatory risk
It is important to carefully review cyber insurance and other insurance policies that may help navigate what will likely be a more aggressive regulatory environment. To help meet compliance obligations following a cyber security incident, our clients may leverage stand-alone cyber insurance policies to access key data breach response experts. These experts include breach coaches, IT forensic investigators and other specialists who are often best equipped to quickly and thoroughly investigate and report on matters that require disclosure.
Cyber insurance policyholders should also be mindful of obligations to their carriers, which may include strict requirements to report incidents in a timely fashion and use only pre-approved breach response vendors.
Many cyber insurance policies provide coverage for costs related to regulatory risk, including coverage for regulatory investigations, lawsuits, settlements and fines where permitted by law. However, it is important to review this coverage carefully., Conditions in the cyber insurance market remain challenging in 2022, and some cyber carriers are dramatically scaling back coverage for regulatory risk.