Author: John Doernberg
On July 26, 2023, the US Securities and Exchange Commission (SEC) adopted rules requiring certain cybersecurity disclosures from public companies. The rules require prompt disclosure of material cybersecurity incidents and annual disclosure of the details about corporate cybersecurity risk management, governance and strategy.
The final rules, as adopted, contain changes to draft rules issued in March 2022, which we discussed in our article "The SEC Is Introducing Aggressive Cybersecurity Regulations in 2022: What You Need to Know".
Here are some provisions of the SEC's final rules document, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,1 that may affect Cyber insurance and cyber risk management.
Mandatory cybersecurity incident disclosure
- Public companies must file a public report with the SEC disclosing material cyber incidents within four business days of determining that the incident is material. While there's no set deadline for determining "materiality," companies must make this determination without unreasonable delay following the discovery of a cyber incident.
- A "cybersecurity incident" extends to a series of related occurrences that may be material in the aggregate — for example, multiple incidents involving the same attacker or multiple attackers exploiting the same vulnerability.
- Companies must "describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations."1
- The SEC understands that companies may have reduced visibility into cyber incidents that occur on their vendors' and suppliers' networks. Companies' disclosures should be based on the information available to them: "The final Rules generally do not require that [reporting companies] conduct additional inquiries outside of their regular channels of communication with third-party service providers pursuant to those contracts and in accordance with registrants' disclosure controls and procedures." 1
- The rules for reporting cyber incidents take effect the later of December 18, 2023 or 90 days after the rules are published in the Federal Register. Smaller reporting companies have an extra 180 days before the rules take effect.