At the end of July, the U.S. Security and Exchange Commission (SEC) adopted the Public Company Cybersecurity Disclosures ruling. These new regulations change how and when public companies disclose information about cybersecurity insurance incidents to shareholders. This is intended to encourage public companies to be more vigilant about their cybersecurity strategies and to provide investors with more accurate information about their investments.
From an insurance perspective, the new SEC ruling underscores the importance of taking steps that improve a company’s overall risk exposure. According to Anthony Manna, Senior Vice President of Jencap’s Specialty Insurance division and cyber insurance expert, “Companies with comprehensive cyber liability policies are at an advantage when it comes to complying with the new SEC regulations. In addition to coverage, cyber carriers also offer an array of benefits with their policies that help protect a client’s exposure.”
The SEC’s fact sheet for the Public Company Cybersecurity Disclosure ruling provides in-depth details, but here’s a brief summary and explanation of what to expect and how to prepare.
An Overview of Changes
Under these new rules, public companies must disclose cybersecurity incidents within four days after a material cybersecurity incident. “Material incidents” include situations, for example, that impact the organization’s financial position or business operations. Within this disclosure, companies must include specific details about the incident:
- Information about the nature and timing of the cyber incident.
- The impact the incident has on the business.
- Steps the company is taking to address and recover from the incident.
In addition, the SEC now requires public companies to publish information about their cybersecurity measures within their annual reports each year and explain how they are managing cyber risks. Although many public companies already provide this information to their shareholders, the new SEC ruling will ensure more consistency in what and how that information is shared.
When Does This Go Into Effect?
The requirements for disclosing material incidents go into effect beginning December 18, 2023. The SEC is providing smaller public companies with a 180-day deferral period.
The annual reporting disclosures for companies’ cybersecurity measures and cyber risk management will be required for all public companies for fiscal years ending on or after December 15, 2023.
Start Preparing Now with Cyber Insurance Coverage
Companies with robust cyber liability coverage will have a leg up when it comes to meeting the new Public Company Cybersecurity Disclosures requirements. According to Manna, “Typically, cyber insurance packages include a number of cybersecurity risk management and incident recovery benefits. These services not only help companies proactively protect themselves from cyber risks, but also alert companies to cyberattacks and help them recover more quickly.” For example:
- First-Party Loss Expenses: This includes financial support to cover business interruption losses, data recovery costs, ransomware/extortion losses, and more.
- Security Recommendations: As part of their risk mitigation package, companies are provided with an analysis of their current network security vulnerabilities and given recommendations on where they can improve.
- Security Breach Vulnerability Monitoring and Exposure Management: Rather than just waiting and responding to incidents, insureds are provided with ongoing protective scans that identify a range of cyber exposures.
- 24/7 Managed Security Services and Resource Portals: Cyber liability packages provide access to on-demand security experts who can advise insureds on a breadth of security services.
- Preferred Vendor Recommendations: Carriers connect their insureds with preferred IT vendors who are able to assist in improving security systems and/or appropriately responding to a cybersecurity incident.
Jencap’s specialized cyber brokers provide the knowledge, guidance, and market access that public companies need to protect their businesses and the interests of their shareholders. Contact us today to learn more about our cyber liability coverage solutions and get a quote.