On the heels of the SEC announcing back in March a package of policies designed to protect the financial system against cyber incidents, the commission adopted rules on July 26 to require all public companies to disclose all cyber security breaches within four days after a registrant determines that a cybersecurity incident is material. The disclosure may be delayed up to 60 days if the United States Attorney General determines that immediate disclosure poses a substantial risk to national security or public safety. Specifically, the rules require these companies disclose the nature, scope and timing of the incident, as well as its likely material impact to their organization.
Further, companies will be obligated to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats and disclose this, along with information about ongoing or completed remediation efforts, in their annual 10-K filing.
These rules were first proposed in March of 2022, when the SEC determined that breaches of corporate networks posed an escalating risk as the digitization of operations and remote work increased — and the cost to investors from cybersecurity incidents rose.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a statement, noting the current inconsistency in disclosures. Further, according to Lesley Ritter, senior VP at Moody’s, the rules will add more transparency and hopefully lead to improvements in cyber security defenses.
Managing cyber related vulnerabilities should be part of the operational resilience strategy of every organization, whether publicly traded or not. Preparing in advance is one of the best ways to reduce the cost of dealing with a major cyber incident. WTW can assist you in tailoring a cyber risk management solution and coverage to suit your risk profile and business needs and advise you on how to not run afoul of the SEC’s new rules. Additionally, the Cyber Risk Solutions Team can provide tailored consulting services (including C-Suite and Board level projects) that address the updated SEC rules and strengthen organizational cyber risk resilience.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.
Relevant Experience/Specialization
Jason Krauss joined Willis Towers Watson in 2016 as a Cyber/E&O Thought and Product Coverage Leader. Jason is a resource on the FINEX North America Cyber/Tech E&O brokerage team, providing dedicated analytical support to the brokers on specific national accounts coupled with thought leadership and developing improved capabilities for the entire team.
Prior to joining WTW, Jason was with Arch Insurance Group for 12 years, where he served as an Assistant Vice President in Enterprise Product Development within the Corporate Underwriting Department and worked closely with underwriters in drafting policies and endorsements. While at Arch, Jason focused on a number of products including Cyber, D&O, EPL and Professional Liability including lawyers, real estate professionals, accountants, captive agents, broker dealers, and architects and engineers. Before joining Product Development at Arch, Jason managed a claims team in adjusting professional liability claims.
