3 Ways Public Companies Can Prepare for New SEC Cyber Incident Disclosure Rules

January 25, 2023

By Kayla Cecchine

The Securities and Exchange Commission (SEC) is set to release new rules that will significantly impact the way publicly traded companies manage and disclose cybersecurity incidents to their shareholders.

Cybersecurity incidents have proliferated across the business landscape in recent years and can materially impact business operations, profitability, and overall shareholder value. But until now, there haven’t been strict guidelines around how publicly traded companies must report these incidents to their shareholders. Expected to be announced in April 2023, these new SEC rules are intended to give shareholders immediate visibility into these incidents and how they may affect the company.

Concurrently, we suspect the new regulations will also open up company leadership and board members to additional scrutiny. Not only will leadership need to firm up their incident reporting processes, they’ll also need to protect themselves from lawsuits that may arise in the event of any allegations of inadvertent material misrepresentation during the event disclosure process.

Expected Rule Changes

While not finalized yet, the new SEC rules will likely require all publicly traded companies to take several new steps when it comes to incident reporting. Here are a few new rules we expect the SEC to include in its final draft:

  • When to report: Companies will be required to disclose a cyber incident in a Form 8-K four days after learning of the incident and determining its materiality. This four-day window will begin after the company determines the incident to be “material.” It is suspected that the SEC will rely on previously established precedent for the definition of “material,” which public companies are certainly already familiar with.
  • What to report: In the initial disclosure, companies will need to report when the event was first discovered, a description of the event, and the effect of the incident on the company’s operations. The business will also need to disclose whether the situation has been rectified or is currently being remediated.
  • Duty to update: A company’s responsibility to inform shareholders about the incident does not end with this initial disclosure. Companies will be obligated to provide updates in amended Form 8-Ks if new details emerge or the facts change.
  • No expectations for investigations: This duty to inform shareholders applies even if there is an ongoing internal or federal investigation into the matter that could be jeopardized.

How to Prepare and Protect Your Business

With these new rules set to take effect this year, all publicly traded companies will need to consider how they will comply. Here are three ways every public company can prepare:

1. Create a robust cyber response plan: Considering the tight timeframe to file a report, it is critical businesses have a robust cyber response plan in place before a cyber event occurs. Doing so can make all the difference when disaster strikes. Business leaders must make sure they can access these policies if their computer network is down. Communication is also key and company leaders must ensure all legal, tech support, and investor relations teams are informed. Practicing this response plan can help limit the scope of the damage once an attack is detected and speed up the assessment and disclosure processes.

2. Protect leadership with D&O coverage: These new rules will inevitably open companies up to potential lawsuits if shareholders believe the company has made material misrepresentations about the incident and its impact on company performance. Executives will want to reassess and possibly firm up their D&O liability insurance policies to ensure they’re properly protected from these new risks.

3. Keep records in privilege: If a cyber event is detected, company leadership should keep all records on the facts needed for the materiality test in privilege with their attorneys. Not only will organizing these records be useful during any potential investigation down the line, keeping this information privileged will allow companies to better control the narrative.

An Experienced Broker Can Help

At Conner Strong & Buckelew, we’ve been following the SEC cyber disclosure rules closely and fully understand their implications for publicly traded companies. Not only can we help your business prepare, we can assist with setting up cyber response plans as well as reviewing your D&O coverage to ensure your executives are fully protected from potential lawsuits. With the new rules expected to take effect later this year, it is important not to delay. Reach out today to begin reviewing your policies and ensure your company is ready for these new regulations.

Click Here for a Printable Download hbspt.cta.load(4987031, ‘3f77243b-42f4-4e7b-a563-07c781c172df’, {“useNewLoader”:”true”,”region”:”na1″});


Cyber Risk, Risk Management

Kayla Cecchine

Senior Account Manager