CYBER RESILIENCE
The SEC ’ s New Cybersecurity Rules
Enhancing Transparency And Preparedness
The U . S . Securities and Exchange Commission ( SEC ) recently implemented new rules , effective December 15 , 2023 , aimed at enhancing the transparency and reporting of cybersecurity risks for public companies . This significant regulatory change reflects the growing importance of cybersecurity in today ’ s interconnected world and has implications for both public and private entities .
IMPLICATIONS FOR PRIVATE AND SMALLER COMPANIES
While these rules primarily target publicly listed companies , their implications are not limited to them . The interconnected nature of today ’ s business world means that even smaller and private companies are part of a complex supply chain that can be impacted by a cybersecurity breach in any part of this chain . This highlights the importance of all companies , whether public or private , familiarizing themselves with these regulations .
MANDATORY INCIDENT REPORTING
One of the most significant aspects of these rules is the requirement for public companies to report material cybersecurity incidents within four business days of identifying them . This tight reporting window poses a challenge , as many cybersecurity incidents , even those involving the theft of personally identifiable information ( PII ), have historically taken longer to be disclosed . While the aim is to ensure prompt disclosure , it may pressure companies to allocate more resources to breach identification and containment .
DEFINING MATERIALITY
Determining what constitutes a “ material ” breach remains a point of uncertainty . The SEC has not provided clear criteria , and this lack of clarity may lead to legal challenges and increased defense costs for companies . The determination of materiality could be subject to interpretation by the courts , potentially making it difficult for companies to navigate the reporting process .
GOVERNANCE AND RISK MANAGEMENT DISCLOSURE
IN ADDITION TO INCIDENT REPORTING , COMPANIES ARE NOW REQUIRED TO DISCLOSE THEIR CYBERSECURITY RISK MANAGEMENT AND GOVERNANCE PRACTICES .
This includes details about their processes for assessing , identifying , and managing material cybersecurity risks , as well as the likely effects of a cyber incident on their organization . Companies must also provide insights into their board of directors ’ oversight of cybersecurity threats and the role and expertise of management in managing these risks . These disclosures will be part of a company ’ s annual report on Form 10-K .
FOCUS ON CYBER RESILIENCE
To prepare for compliance and reduce exposure to regulatory action and shareholder suits , companies should consider strengthening their cybersecurity governance and risk management practices . They can establish a special committee within the board dedicated to cybersecurity risk mitigation , breach identification , and reporting . Engaging outside counsel to set up the necessary framework for compliance is also advisable . Ultimately , prevention is the best defense against cyber incidents and potential litigation , so a proactive mindset toward cybersecurity threats is vital .
POTENTIAL FOR LEGAL CHALLENGES
The new reporting rules may result in legal challenges , especially regarding the determination of materiality . Companies may need to navigate complex legal processes , including
sanctions checks , compliance , and interactions with regulators and law enforcement , all while determining the materiality of the cyber incident within the four-day reporting window .
In conclusion , the SEC ’ s new cybersecurity reporting rules have brought significant changes to the way public companies must handle and report cybersecurity incidents and risks . These rules aim to enhance transparency , but they also introduce potential legal and compliance challenges . To navigate these challenges effectively , companies , whether public or private , must invest in robust cybersecurity governance , risk management , and proactive prevention measures . The full impact of these rules on the frequency and severity of cybersecurity-related litigation is yet to be seen , but they mark a significant step forward in addressing the growing importance of cybersecurity in today ’ s business landscape . +
BY : RUSSELL UHRIG ASSOCIATE ADVISOR JGS INSURANCE , A BALDWIN RISK PARTNER
Russell Uhrig helps business owners navigate the insurance industry , and the complexities of an insurance policy . Working closely with these business owners , he can provide the coverages that best fit the needs of his clients in their industry . Through the process of assisting businesses , Russell can empower business owners to have a deeper understanding of their policies through analysis , provide customer service , and create a service-oriented program .
13