New cybersecurity disclosure rules adopted by the Securities Exchange Commission signal that the federal government takes cybersecurity seriously — and companies should prioritize it, panelists on a recent Lockton webcast said.
In July, the SEC finalized its rule on public company cybersecurity risk management, governance, and incident reporting (opens a new window). Under the new rule, companies listed on U.S. exchanges must disclose — within four days — any material cybersecurity incidents, including providing information about their nature, scope, timing, and material impact or likelihood of material impact. Public companies are also required to disclose, on an annual basis, information about their risk management strategy along with their processes and governance structures for assessing, identifying, and managing material cybersecurity threats.
“This is a new era for incident response,” said David Navetta, a partner at Cooley. “We will see the light shined on organizations and what’s really going on behind the scenes.”
Readiness and resilience are even more crucial in light of the new rule, as is board oversight. “Boards will need to make sure that they are getting the information they need so they can effectively carry out their oversight function, particularly for those boards or committees that don’t have cybersecurity expertise,” said Asa Henin, special counsel, public companies, at Cooley.
Cyber incident response processes will likely need to evolve in light of the new rule. For public companies, “your first call should be to your breach counsel. Will the second call be to your securities lawyer? My guess is yes,” said Deb Hirschorn, U.S. Cyber & Technology Claims Leader at Lockton. “They have to be part of that chain to respond to a breach now.”
The brighter spotlight on cybersecurity could prompt additional securities litigation from shareholders and contribute to greater regulatory burdens and reputational risk, impacts that will likely not go unnoticed by cyber and directors and officers liability (D&O) underwriters.
Although, cyber risk has been a focus of D&O insurers for some time, underwriters are likely to ask more questions during renewal processes given the new rule, said Mark Weintraub, insurance and claims counsel at Lockton. Among other topics, insurers are likely to ask about board composition, processes for informing the board of cyber events, readiness and response plans, revisions to governance processes, and how materiality will be determined Weintraub said.
Cyber insurers, meanwhile, will likely scrutinize breach costs and incident response plans, which will also carry over to private companies not subject to the new SEC rule. From a cyber underwriters perspective, “there’s not much of a differentiation between public and private companies” in the eyes of insurers, said Deborah Hirschorn, Lockton’s U.S. cyber & technology claims leader.
Watch a replay of the webcast below.