The Securities Exchange Commission (SEC) is prioritizing regulations aimed at reducing cyber security risks.

Author: John Farley

In the first quarter, the SEC issued two significant proposals; one that mandates new disclosure requirements for all publicly traded companies and a second that focuses on cybersecurity controls in the financial services sector. The SEC has made these a priority as the escalating conflict in Ukraine raises concerns of heightened cyber risk to organizations around the globe.

According to the SEC's Statement on Proposal for Mandatory Cybersecurity Disclosure issued on March 9, 2022, all publicly traded companies will be required to adhere to the following two mandates, among other requirements.

  • Mandatory cybersecurity incident disclosure. Material incidents must be reported on an 8-K form within four business days of the incident. Organizations would also be required to provide periodic updates about previous incidents. In addition, they would be required to report when "a series of previously undisclosed, individually immaterial cybersecurity events has become material in the aggregate."
  • Required disclosures of company policies to manage cyber risks. Annual reports would have to outline a firm's policies for identifying and managing cyber risks and document whether any member of its board of directors has expertise in cybersecurity.

Commissioners voted 3-1 in favor of the proposal, which is expected to be finalized after the SEC receives feedback from the public in the coming weeks.

On February 9, the SEC announced that it seeks greater disclosure from advisors, hedge funds and private equity funds, which will be required to adopt written policies that are "reasonably" designed to address cybersecurity risks. They will also be required to report significant cybersecurity incidents and maintain cybersecurity-related books and records.

Cyber Insurance and regulatory risk

It is important to carefully review cyber insurance and other insurance policies that may help navigate what will likely be a more aggressive regulatory environment. To help meet compliance obligations following a cyber security incident, our clients may leverage stand-alone cyber insurance policies to access key data breach response experts. These experts include breach coaches, IT forensic investigators and other specialists who are often best equipped to quickly and thoroughly investigate and report on matters that require disclosure.

Cyber insurance policyholders should also be mindful of obligations to their carriers, which may include strict requirements to report incidents in a timely fashion and use only pre-approved breach response vendors.

Many cyber insurance policies provide coverage for costs related to regulatory risk, including coverage for regulatory investigations, lawsuits, settlements and fines where permitted by law. However, it is important to review this coverage carefully., Conditions in the cyber insurance market remain challenging in 2022, and some cyber carriers are dramatically scaling back coverage for regulatory risk.

Author Information

Disclaimer

The information contained herein is offered as insurance Industry guidance and provided as an overview of current market risks and available coverages and is intended for discussion purposes only. This publication is not intended to offer legal advice or client-specific risk management advice. Any description of insurance coverages is not meant to interpret specific coverages that your company may already have in place or that may be generally available. General insurance descriptions contained herein do not include complete Insurance policy definitions, terms, and/or conditions, and should not be relied on for coverage interpretation. Actual insurance policies must always be consulted for full coverage details and analysis.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organizations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher Risk Management Services, Inc. (License No. 0D69293) and/or its affiliate Arthur J. Gallagher & Co. Insurance Brokers of California, Inc. (License No. 0726293).
© 2022 Arthur J. Gallagher & Co.