The U.S. [1] [2] [4] [8] Securities and Exchange Commission (SEC) has implemented rules to enhance cybersecurity disclosures for public companies [3] [7]. These rules require public companies to disclose information in three categories: cybersecurity risk management [1], cybersecurity governance [1] [5] [7], and cybersecurity incident reporting [1] [2] [4] [5] [6] [7].
Description
Public companies are now obligated to disclose how they assess, identify [1] [4] [5], and manage material cybersecurity risks [1] [4]. They must also describe the board’s oversight of cybersecurity risks [2]. Additionally, public companies are required to disclose any material cybersecurity incidents within four days of determining their materiality [1].
These new rules increase public company exposure and may lead to an increase in lawsuits related to cybersecurity incidents [1]. Directors and officers (D&Os) may face claims alleging breach of duty or oversight [1], and it is important to review D&O insurance policies for coverage. Cyber insurance policies may also be affected [1], with insurers adopting more stringent underwriting practices [1].
Public companies should be meticulous in filling out cyber insurance applications and ensure their policies provide coverage for the increased exposures resulting from the new rules [1].
Conclusion
The implementation of these rules has significant implications. Public companies need to be aware of the increased exposure and potential legal claims they may face. It is crucial for directors and officers to review their insurance policies for coverage and for public companies to carefully fill out cyber insurance applications. Insurers are likely to adopt stricter underwriting practices, so it is important to be prepared for potential changes in coverage.
References
[1] https://www.lexology.com/library/detail.aspx?g=a4756acb-a255-4a27-9ea6-67dae36e741c
[2] https://www.lexology.com/library/detail.aspx?g=ba3642d0-d0e5-41e9-a802-81372d6e7fca
[3] https://www.cybersecuritydive.com/news/sec-cyber-disclosure-rules-enforcement-timeline/692446/
[4] https://mlinkscyberconsult.ghost.io/sec-adopts-new-rules-on-cybersecurity-risk-management-governance-and-incident-disclosure-by-public-companies/
[5] https://www.gibsondunn.com/sec-proposes-rules-on-cybersecurity-disclosure/
[6] https://www.reuters.com/practical-law-the-journal/transactional/sec-cybersecurity-disclosure-rules-2023-09-01/
[7] https://www.natlawreview.com/article/sec-proposes-new-cybersecurity-rules-public-companies
[8] https://siliconangle.com/2023/08/31/cybersecurity-compliance-companies-need-know-new-sec-rules-googlecloudnext/