The Securities and Exchange Commission (SEC) adopted final rules on July 26, 2023, that, among other mandates, require public companies to disclose material cybersecurity incidents within four business days of determining an incident’s materiality. The rules also require periodic disclosure in annual reports of cybersecurity risk management, strategy, and governance.
While organizations have previously had an obligation to timely notify shareholders of material developments, exactly when the notification of a cybersecurity incident should take place had not been specified. The new rules provide a clear and direct standard; contact us for help on navigating these rules.
One likely impact of the new rules will be to incentivize companies to proactively bring together professionals from across the technical, financial, legal, and compliance sides of the business before, during, and following an event. Organizations will also be required to make a materiality judgment much earlier in the cyber event incident response process, and to take prompt action for events found to be material. This includes understanding not only if an event is material, but when it crosses the reporting threshold.
Organizations can take actions now in order to be better prepared for the new rules. These include, but are not limited to:
- Bring together key stakeholders. This includes risk management, C-suite executives, and relevant board committees; information security, including both operations and information technology teams; treasury/finance; and legal and compliance. Doing so sets a clear tone of open communication, conscientiousness, and collaboration to confront both internal and external risks. It also helps to ensure alignment on how to integrate the new rules into existing incident response and board governance plans, and investor communications.
- Reassess and test your cyber incident response plan. Build out specific processes for determining the materiality of different types of cyber events that threaten your organization. Include how the processes will be shared with management, disclosure counsel, and others responsible for investor communications. Include how each type of cyber event will be reported to the SEC in a timely fashion, if found to be material. Update your crisis communications strategy and make sure you connect with the appropriate subject matter experts for your organization.
- Measure your organization’s cyber risk exposure in financial terms. This information will help you determine if a cyber event is material to your organization, and will also help in reporting the details of such a material event to the SEC.
- Keep comprehensive records of your incident response plan, processes, management communications, and actions taken to determine when/if a cyber event is material. Investigators may inquire into the timeline of events leading up to the reporting of the material event, so maintaining complete and accurate records can be critical. Shareholders may also seek books and records relating to a company’s materiality determination. This could result in a lawsuit if investors and plaintiffs’ attorneys believe they have a basis to argue that management acted too slowly or miscommunicated with investors.
- Create an extensive record of communication on any cyber risk and cybersecurity challenges. Outside disclosure counsel or in-house lawyers should review all messaging, even when other industries or organizations experience a particular risk factor that has not yet affected your organization. The SEC, and other regulators, along with shareholder plaintiffs, may look to use these communications — or lack thereof — to support allegations of wrongdoing or mismanagement.
- Proactively prepare for upcoming insurance renewals. You may be asked by insurers to answer questions about how your organization is adapting cyber risk and board governance standards to account for the new rules during upcoming cyber insurance and/or directors and officers (D&O) liability policy renewal discussions. Highlight open communication among board, executive, legal, and cyber professionals.
Marsh’s risk advisors are available to help you navigate these rules as you assess what they may mean for your organization. To start your discussion with one of our advisors, reach out to your Marsh broker or contact us below.