image

SEC Update: New Cybersecurity Disclosure Rules

Cyber risks are skyrocketing. A recent IBM breach report revealed that 83% of organizations experienced more than one data breach in 2022. The severity of the situation continues to be evident in 2023 with the public disclosure of at least 310 cyber incidents in the first quarter of the year alone.

 

A cyber incident can hurt a company’s stock price, especially immediately following the event. Research shows publicly traded companies saw an average drop of 7.5% in their stock price following a data breach combined with a mean market cap loss of $5.4 billion. Adding to the concern is the fact that it took an average of 46 days for companies’ stock prices to recover to pre-breach levels if they were able to bounce back at all. Although stock price fluctuations may be easy for some companies to manage, the lasting impact of cyber incidents are becoming more apparent.5

On July 26, 2023, the Securities and Exchange Commission (SEC) voted to adopt new rules on cybersecurity disclosures. These new rules are intended to help investors make informed decisions by providing them with more information about the cybersecurity risks facing public companies. The rules also aim to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies subject to the reporting requirements of the Securities Exchange Act of 1934, including foreign private issuers.

Specifically, amendments have been adopted that require current disclosure about material cybersecurity incidents. Public companies will have to disclose a cybersecurity incident within four business days of determining that the incident is material, meaning it is anticipated to have a substantial impact on the company's financial condition, operations, or business.1

The SEC monitors more than 28,000 entities in the securities industry, including investment advisers, broker-dealers, and securities exchanges.2

KEY REQUIREMENTS OF THE NEW DISCLOSURE RULES

Form 8-K Trigger & Materiality

The new rules add Item 1.05 to Form 8-K, which requires that a material cybersecurity incident be disclosed within four business days after a materiality determination is made. Form 8-K instructions iterate that materiality determinations must be completed “without unreasonable delay” after a cybersecurity incident is discovered. The SEC has indicated that adhering to standard internal practices as well as disclosure controls and procedures is sufficient to demonstrate good faith compliance.

The analysis for the materiality of cybersecurity incidents mirrors the materiality analysis for other securities laws. Such analysis should consider both qualitative and quantitative factors when assessing materiality. A cybersecurity incident is intended to be broadly defined and includes “a series of related unauthorized occurrences.” This means it’s possible that Item 1.05 could be triggered by a series of related occurrences that are material when considered together. 1

REQUIRED DISCLOSURE

If disclosure of a cybersecurity event is required, a company must then share material information around the timing, nature, and scope of the incident as well as the actual or reasonability anticipated impact on the company, including its operations and finances. However, companies don’t have to disclose technical or specific information about the planned response in granular detail that would slow their response to, or remediation of, the cyber incident.1

The SEC oversees around $115 trillion in securities trading on U.S. equity markets each year.2

DELAYS DUE TO NATIONAL SECURITY OR PUBLIC SAFETY RISKS

Disclosure of a material incident may be delayed by up to 30 days if the U.S. Attorney General determines that disclosing the event would pose a significant risk to either public safety or national security. If at the end of that extension, disclosure still poses a substantial risk, it may be delayed for up to an additional 30 days. In extraordinary circumstances, such as when an event poses a risk to national security, disclosure may be delayed for a final period of no more than 60 days. However, it’s unclear what processes the U.S. Department of Justice will utilize to review delayed disclosure requests.1

UPDATING DISCLOSURES

If information required to be disclosed is undetermined or unavailable at the time of filing, companies must indicate what information is missing from the initial disclosure and file an amendment to Form 8-K within four business days after the information does become available. Companies may also have to amend a prior disclosure that they later determine was untrue or materially inaccurate at the time of filing.1

CYBERSECURITY RISK MANAGEMENT, STRATEGY & GOVERNANCE DISCLOSURE

The SEC is also adopting rules requiring regular disclosures regarding a company’s processes used to identify, assess, and manage material cybersecurity risks. Periodic disclosure is also required around management’s role in assessing and managing material cybersecurity risks as well as the board of directors’ oversight of cybersecurity risks. Finally, the rules require that cybersecurity disclosures be presented in Inline eXtensible Business Reporting Language (“Inline XBRL”).

RISK MANAGEMENT

Regulation S-K Item 106(b) requires companies to provide a description of their processes for identifying, assessing, and managing material risks from cybersecurity threats in such a way that a reasonable investor is able to understand those processes. The following is a nonexclusive list of potential disclosure items:

  • If and how processes described are integrated into the overarching risk management system or processes.
  • If the organization utilizes consultants, auditors, or others in connection with described processes.
  • Whether the company employs processes to identify material risks from cybersecurity threats associated with the use of third-party services.1

The SEC took 697 enforcement actions against corporations in FY 2021 and collected $3.85B in penalties.4

GOVERNANCE

Regulation S-K Item 106(c) requires companies to disclose information about the board and management’s cybersecurity roles including:

  • Board oversight of cybersecurity risks and any board committee responsible for oversight.
  • Processes for informing the board or committee about such risks.

Organizations must also outline management’s role in assessing and managing material cybersecurity risks. The following is a nonexclusive list of potential disclosure items:

  • Management positions or committees responsible for assessing and managing cybersecurity risks and the relevant expertise of individuals in enough detail to fully describe the nature of the expertise.
  • Processes used to inform management or committees about and monitor cybersecurity incidents, including prevention, detection, mitigation, and remediation.
  • If individuals or committees report cybersecurity risk information to the board of directors or another board committee or subcommittee.1

DISCLOSURE BY FOREIGN PRIVATE ISSUERS

Form 20-F amendments outline disclosure requirements for foreign private issuers that parallel those that apply to domestic issuers in Regulation S-K Item 106. Form 6-K amendments also mirror those for domestic issuers in Form 8-K Item 1.05, requiring foreign private issuers to provide Form 6-K information about material cybersecurity incidents that issuers disclose or publicize in a foreign jurisdiction to any stock exchange or security holders.1

COMPLIANCE TIMELINE

Companies other than smaller reporting companies are required to begin complying with current material cybersecurity incident reporting on Form 8-K or Form 6-K, as applicable on the later of 90 days after the date of publication of the final rules in the Federal Register or December 18, 2023. Those considered smaller reporting companies have an additional 180 days to comply and must begin Form 8-K reporting of material cybersecurity incidents on the later of 270 days from the effective date of the rules or June 15, 2024.

Organizations must include cybersecurity risk management, strategy, and governance disclosures in annual reports for all fiscal years ending on or after December 15, 2023. However, companies have an additional year after the initial compliance dates for tagging the disclosure using Inline XBRL.1

In FY 2022, SEC Investment Management staff reviewed more than 2,100 filings related to more than 4,900 funds and insurance products.3

INSURANCE IMPLICATIONS

Company boards of directors should begin preparing now to ensure that their organizations are in compliance with the new SEC rules. Companies that fail to comply with the new cybersecurity disclosure rules could face a number of consequences, including SEC enforcement actions, investor lawsuits, and considerable damage to the company's reputation.1 Agents and insureds should be aware of the following:

  • Cyber carriers can become aware of unreported incidents via the SEC required disclosures.
  • There is a possibility of regulatory claims if an insured reports an incident and extortion demands were paid to a sanctioned entity, but law enforcement wasn’t engaged.
  • This rule also raises the possibility of D&O claims if there is no board oversight of cybersecurity risk assessment and management, should a material incident occur

BOTTOM LINE

Cyber risk continues to be a top concern for businesses in all industries, and board members have a massive amount of regulatory oversight to absorb and implement in order to achieve compliance. The new SEC rules requiring more disclosure, will likely also result in a greater potential for claims and litigation.4 Agents and insureds would be wise to partner with wholesale insurance brokers well-versed in the new SEC rules and an extensive background in mitigating associated exposures with the right insurance coverages. Reach out to your local CRC Group Producer today for more information.

CONTRIBUTORS

  • Jason White is the Managing Director & National Practice Leader for CRC Group’s ExecPro Practice Group.

END NOTES

  1. SEC Adopts New Cybersecurity Disclosure Rules, Forbes, July 27, 2023. https://www.forbes.com/sites/betsyatkins/2023/07/27/sec-adopts-new-cybersecurity-disclosure-rules/?sh=6936d480bf2b
  2. What We Do, U.S. SEC, 2023. https://www.sec.gov/about/what-we-do#:~:text=We%20monitor%20the%20activities%20 of,%2Ddealers%2C%20and%20securities%20exchanges.
  3. Fiscal Year 2022 Agency Financial Report, U.S. SEC. https://www.sec.gov/files/sec-2022-agency-financial-report.pdf#chairmessage
  4. New SEC Disclosure Rules May Drive Up D&O Claims, Insurance Journal, November 10, 2022. https://www.insurancejournal.com/news/national/2022/11/10/694696.htm
  5. The Devastating Business Impacts of a Cyber Breach, Harvard Business Review, May 4, 2023. https://hbr.org/2023/05/the-devastating-business-impacts-of-a-cyber-breach