The SEC public company cyber disclosure rule raises issues that companies should consider in reviewing existing insurance coverage and in assessing overall risk.
The SEC recently adopted a new cybersecurity disclosure related rule (the “SEC Cyber Disclosure Rule”)[1] in response to increasing risks associated with cyber incidents and a perceived need for investors to receive more fulsome corporate disclosures about cybersecurity risks, governance, and material incidents. In prior efforts to improve consistency and accuracy of public company cybersecurity risk disclosures, the SEC issued interpretive guidance explaining how cybersecurity risk and incidents should be communicated based on long-standing requirements to periodically—and as needed—disclose material information to shareholders.[2] But in spite of this guidance, in the SEC’s view corporate disclosure practices remained inconsistent, under-disclosure persisted, and investors lacked consistent information by which they could evaluate public companies’ cybersecurity risk. In July 2023, the SEC adopted the SEC Cyber Disclosure Rule, which mandated new disclosures among other things, and which became effective in December 2023.Continue Reading The SEC’s Cybersecurity Incident, Governance, and Management Reporting Requirements: What you Need to Know to Avoid Cyber and D&O Coverage Gaps