The Securities and Exchange Commission (SEC) is set to release new rules that will significantly impact the way publicly traded companies manage and disclose cybersecurity incidents to their shareholders.
Cybersecurity incidents have proliferated across the business landscape in recent years and can materially impact business operations, profitability, and overall shareholder value. But until now, there haven’t been strict guidelines around how publicly traded companies must report these incidents to their shareholders. Expected to be announced in April 2023, these new SEC rules are intended to give shareholders immediate visibility into these incidents and how they may affect the company.
Concurrently, we suspect the new regulations will also open up company leadership and board members to additional scrutiny. Not only will leadership need to firm up their incident reporting processes, they’ll also need to protect themselves from lawsuits that may arise in the event of any allegations of inadvertent material misrepresentation during the event disclosure process.
Expected Rule Changes
While not finalized yet, the new SEC rules will likely require all publicly traded companies to take several new steps when it comes to incident reporting. Here are a few new rules we expect the SEC to include in its final draft:
How to Prepare and Protect Your Business
With these new rules set to take effect this year, all publicly traded companies will need to consider how they will comply. Here are three ways every public company can prepare:
1. Create a robust cyber response plan: Considering the tight timeframe to file a report, it is critical businesses have a robust cyber response plan in place before a cyber event occurs. Doing so can make all the difference when disaster strikes. Business leaders must make sure they can access these policies if their computer network is down. Communication is also key and company leaders must ensure all legal, tech support, and investor relations teams are informed. Practicing this response plan can help limit the scope of the damage once an attack is detected and speed up the assessment and disclosure processes.
2. Protect leadership with D&O coverage: These new rules will inevitably open companies up to potential lawsuits if shareholders believe the company has made material misrepresentations about the incident and its impact on company performance. Executives will want to reassess and possibly firm up their D&O liability insurance policies to ensure they’re properly protected from these new risks.
3. Keep records in privilege: If a cyber event is detected, company leadership should keep all records on the facts needed for the materiality test in privilege with their attorneys. Not only will organizing these records be useful during any potential investigation down the line, keeping this information privileged will allow companies to better control the narrative.
An Experienced Broker Can Help
At Conner Strong & Buckelew, we’ve been following the SEC cyber disclosure rules closely and fully understand their implications for publicly traded companies. Not only can we help your business prepare, we can assist with setting up cyber response plans as well as reviewing your D&O coverage to ensure your executives are fully protected from potential lawsuits. With the new rules expected to take effect later this year, it is important not to delay. Reach out today to begin reviewing your policies and ensure your company is ready for these new regulations.
hbspt.cta.load(4987031, ‘3f77243b-42f4-4e7b-a563-07c781c172df’, {“useNewLoader”:”true”,”region”:”na1″});
Kayla Cecchine
Senior Account Manager