Last month, the US Securities and Exchange Commission (SEC) implemented regulations that mandate public enterprises to divulge any cybersecurity breaches with potential impacts on their financial standings within a four-day window.
Exceptions for postponements exist only when an immediate revelation could result in significant national security or public safety hazards.
The recently instituted regulations, sanctioned through a 3-2 vote along party lines, additionally compel publicly traded corporations to annually reveal details about their management of cybersecurity risks and the proficiency of their executives in this domain. The primary aim is to safeguard the interests of investors.
If a cybersecurity breach disclosure is deemed to carry substantial risks to national security or public safety by the US Attorney General, and this determination is communicated to the SEC in written form, delays in disclosure are permitted. The extension of this delay beyond 60 days would only be conceivable under truly exceptional circumstances.
But what impact will this have on the companies themselves – and what does it mean for the cyber insurance space? As part of our research at Insurtech Insights, we ran a poll – and found that while concerns among experts were voiced, 50% of participants saw the move as a positive regulation that will improve the cyber environment for businesses.
To clarify matters further, we spoke to Bob Wice, Head of Underwriting Management, Cyber Risks, Beazley.
Thank you for joining us today. To start off, could you provide some insights into your current role and expertise in the realm of cyber risks?
Of course, I’d be happy to. I lead the underwriting management team for Cyber Risks at Beazley. I’ve been focusing on cyber risks for more than two decades.
I’ve been with Beazley for 18 years, having previously overseen the underwriting team for cyber risks in the US for about 15 years. In 2020, I transitioned to a global underwriting management role, concentrating on enhancing profitability, growth, and efficiency within the team.
It sounds like you have extensive experience in the field. Over your two decades of involvement, how have you witnessed the landscape of cyber threats and risks evolve?
I’ve seen significant changes in the cyber risk landscape. Cyber insurance has evolved from being an optional purchase to a necessary risk management consideration for organisations of all sizes. This shift is particularly noticeable among public companies facing heightened scrutiny from all stakeholders, including analysts and investors.
Cyber risk management and transferring that risk through insurance policies have become the norm. This contrasts with the past, where even large organisations might not have budgeted for cyber insurance. Nowadays, organisations are focused on explaining their decisions regarding self-insurance, using captives, selecting coverage limits, and analysing risk. This shift has been driven by the increased threats we’ve observed in recent years.
Can you elaborate on the factors that prompted the recent SEC ruling and its implications?
Certainly. The SEC’s recent ruling is the culmination of a trend that has been developing for over a decade. The SEC has been concentrating on providing guidance to publicly traded companies about managing cyber risks and disclosing them to investors and analysts. The prominence of cyber threats as material issues and the overall risk management processes have escalated over time. The decision to implement this ruling didn’t stem from a single incident or breach, but rather from a prolonged effort to enhance corporate governance in terms of cyber risks.
Starting as far back as 2011, the SEC’s Division of Corporate Finance began sharing guidance on how public companies should approach and disclose cyber risks in their financial statements. The importance of cyber risk governance has grown substantially over the last five to ten years and has emerged as a top priority for boards of directors. The ruling aims to standardise and establish a consistent approach to disclosing material cyber incidents, governance surrounding risk management and strategic direction, regardless of the company’s size or structure.
It’s evident that this ruling has been in the works for quite some time. Could you further explain the objectives behind the ruling and the goals the SEC is striving to achieve?
The key objectives of the recent SEC ruling are to ensure uniformity and consistency in how public companies disclose cyber incidents, governance practices, and strategic approaches to cyber risk management. By requiring standardised disclosures, the SEC aims to provide investors, analysts, and the public with a clearer understanding of a company’s risk profile and its readiness to handle cyber threats.
The ruling underscores the importance of timely and transparent communication about material cyber incidents, enabling stakeholders to make informed decisions. By emphasising the involvement of key executives like the Chief Information Security Officer, Chief Information Officer, General Counsel, and CFO, the SEC aims to encourage comprehensive risk management strategies that involve various aspects of an organisation’s leadership. Ultimately, the ruling strives to enhance overall cyber risk governance across the business landscape.
Would you say that the acceleration of digital transformation has played a significant role in the urgency behind these developments?
Yes. The rapid pace of digital transformation has indeed amplified the urgency behind recent developments in cyber risk management. The digital ecosystem has highlighted the critical need for increased transparency and accountability. As organisations embrace digital transformation, it has become evident that cyber threats are not only persistent but have taken on new dimensions.
These threats have highlighted several layers of complexity. For instance, if a company faces business interruption losses due to cyberattacks or system failures, it can directly impact their revenue generation and business plans. Additionally, the collection of data by organisations comes with greater responsibility, particularly given the vulnerabilities exploited by various threat actors.
Interestingly, a significant portion of recent threats doesn’t even originate within a company’s own network but stems from vulnerabilities in third-party software and hardware. This interdependency on external providers can introduce systemic risks, and the absence of available patches for these vulnerabilities can lead to breaches.
Many threat actors are now exploiting common software vulnerabilities that are used universally across organisations. They exploit these vulnerabilities before patches become available, allowing them to infiltrate and move within networks. This includes exploiting weak points like remote access applications that lack multi-factor authentication, often due to the sudden shift to remote work during the pandemic. Phishing attacks also remain a prevalent threat, capitalising on human behaviour and reliance on email communication.
In essence, the digital ecosystem has intensified the challenges by exposing the vulnerabilities within interconnected systems. We’ve come to understand that our interconnectedness also implies mutual accountability, as the security of the entire network relies on the strength of its weakest link.
It’s clear that the interconnected nature of our digital landscape presents both opportunities and vulnerabilities. Could you expand on how these changes are reflected in the recent SEC ruling and its emphasis on disclosing cyber incidents?
The recent SEC ruling reflects the evolving landscape by emphasising the need for standardised disclosures of cyber incidents. It recognises that the digital ecosystem has brought about various threats that require clear and transparent communication. The ruling underscores the importance of promptly and openly communicating material cyber incidents, ensuring that stakeholders, investors, and the public are well-informed.
This emphasis on disclosure extends to vulnerabilities and incidents arising from third-party threats and dependencies, such as software and hardware. Essentially, the SEC wants organisations to report third-party-related vulnerabilities with the same urgency as if their own network had been breached. This recognises the interconnected nature of the digital landscape, where the risks posed by external dependencies can be just as significant as internal vulnerabilities.
The governance aspect of the ruling is crucial as well. It requires organisations to establish effective risk management processes, committees that assess risk profiles, and clear strategic directions for cyber risk management. The objective is to ensure that organisations are well-prepared, with resources allocated for effective risk mitigation strategies. This includes engaging external experts if necessary, while also addressing the additional exposure that comes with third-party partnerships. Ultimately, the ruling aims to foster trust and integrity among stakeholders while providing a framework for organisations to manage the residual risk that cannot be completely eliminated.
In the world of cyber insurance, this also plays a role, as it offers a means to transfer some of the residual risk to insurance policies, providing organisations with financial protection in the event of cyber incidents.
Have you successfully removed the threat actor from your system? What is the potential risk involved? Did your network experience any downtime? Were files subjected to encryption? Was there any unauthorised extraction of data, among various other ongoing concerns? Additionally, you are obligated to make this information public.
This requirement existed before, based on state laws or GDPR, but now, as a publicly traded entity, you face heightened scrutiny under regulations. It seems the SEC’s aim is to establish a standard approach and uniformity in how organisations are mandated to handle such situations.
Could the fact that companies’ breach reports are now publicly accessible affect them negatively by highlighting their vulnerabilities, or could it potentially be beneficial by raising the overall standard of security for everyone?
That’s a great question. There’s a couple layers to that. First off, companies are already aware that they need to report their breaches if they’re material. So, theoretically, this shouldn’t change much in terms of how organisations behave. They’re still going to do everything they can to prevent breaches from happening in the first place.
At the same time, I don’t necessarily think that there’s going to be a groundswell of companies disclosing their breaches just because they’re now required to do so. I think most companies were already disclosing their breaches anyway, either because they were legally required to do so or because they wanted to be transparent with their customers.
However, I do think that this new requirement could have a positive impact on smaller publicly traded companies. Smaller companies may not have the same resources as larger companies to invest in cybersecurity, but if they know that they’re required to disclose any breaches, they may be more likely to invest in the necessary security measures to prevent them from happening in the first place.
Overall, I think this new requirement is a favourable development in that it will help to hold companies accountable for their cybersecurity practices and improve the overall security posture of the economy.
It sounds like this requirement could have a positive impact on smaller companies, especially if it helps them to improve their cybersecurity practices.
Exactly. I think it’s important to remember that not all publicly traded companies are the same. While large organisations have a very mature cybersecurity program in place, smaller publicly traded entities may not have the same level of security expertise. This new requirement could help to level the playing field and ensure that all publicly traded companies are taking cybersecurity seriously.
In light of the additional pressure on companies to enhance their cyber management, what key strategies would you recommend if someone approached you seeking guidance on aligning their company and addressing this issue? What would be the essential three or four aspects that you would consider as non-negotiable?
There are a few key strategies that I would advise for companies to tighten up their cyber management in light of the new SEC rule.
First, it’s important to have strong governance in place. This means that the company’s leadership needs to be aware of the cyber risks facing the organisation and to have a plan in place to mitigate those risks. The board of directors should also be actively involved in overseeing the company’s cyber security program.
Second, companies need to have a comprehensive incident response plan. This plan should outline the steps that the company will take in the event of a cyber incident, such as how to identify the incident, how to contain the damage, and how to notify affected parties. The plan should also be regularly tested and updated to ensure that it is effective.
Third, companies need to manage their third-party risks. This means that they need to carefully vet the third-party vendors that they work with and to ensure that those vendors have adequate cyber security measures in place. Companies should also have a process in place to monitor their third-party vendors for any signs of security problems.
Finally, companies need to invest in training their employees on cyber security best practices. This training should cover topics such as how to identify and avoid phishing emails, how to create strong passwords, and how to protect sensitive data. I would say that these four strategies are absolutely non-negotiable for companies that want to tighten up their cyber management in light of the new SEC rule.
How do you think insurance companies will be impacted by this ruling? Does it represent the risk of premium rises and losses through additional claims?
It’s possible that insurance companies could be impacted by this ruling. If there is a significant increase in the number of data breaches, then insurance companies could see an increase in claims. This could lead to higher premiums for cyber insurance. Additionally, if insurance companies are found to be liable for losses that are caused by a company’s failure to comply with the new SEC rule, then they could face additional losses.
However, it’s also possible that the impact on insurance companies will be minimal. If companies take steps to comply with the new rule, then the number of data breaches could actually decrease. This could lead to lower premiums for cyber insurance. Additionally, if insurance companies are able to successfully defend themselves against lawsuits, then they could avoid significant losses.
Ultimately, the impact of the new SEC rule on insurance companies will depend on a number of factors, including the number of data breaches that occur, the extent to which companies comply with the rule, and the success of insurance companies in defending themselves against lawsuits.
You mentioned that the four-day disclosure period starts from when you discover the breach and determine it to be material. What happens if you go over that four-day time period and the breach has been going on for a week or two weeks or even several months?
That’s a great question. The four-day disclosure period is a hard deadline. So if you discover a material breach and you don’t disclose it within four days, you could be in violation of the SEC rule. This could lead to fines, penalties and significant costs to defend against class action lawsuits.
In some cases, it may be difficult to determine when a breach was first discovered. For example, if a bad actor has been on your system for weeks or months without being detected, it may be hard to say when they actually gained access to your data. In these cases, the SEC may be willing to give you some leeway, but it’s important to err on the side of caution and disclose the breach as soon as possible.
It’s also important to note that the four-day disclosure period only applies to material breaches. This means that you don’t have to disclose every single security incident that happens to your company. However, if a breach is likely to have a significant impact on your business, such as a loss of customer data or financial information, then it will more likely be considered material and must be disclosed within four days.
What impact do you think this ruling will have, say five years from now? And do you see it as having a lot of positives or some negatives on balance for the insurance industry?
I think this ruling will have a significant impact on the way that publicly traded companies manage their cyber risk. It will force companies to be more transparent about their security posture and to take steps to mitigate the risk of data breaches. This could lead to an overall improvement in the security of the financial industry.
In the short term, there may be some negative impacts on the insurance industry. If organisations are able to procure cyber insurance without demonstrating comprehensive cyber risk management policies and procedures, losses may increase leading to increased volatility in the cyber insurance market. . Again, this could lead to higher premiums for cyber insurance. Additionally, companies that fail to comply with the SEC rule could be sued by shareholders or regulators. This could lead to additional costs for insurance companies.
However, I believe that the long-term impacts of this ruling will be positive for the insurance industry. As companies become more aware of the risks of cyber attacks, they will be more likely to purchase cyber insurance. This will create new opportunities for insurance companies to grow their businesses. Additionally, as organisations improve their security posture, they will be less likely to experience data breaches. This will reduce the number of claims that insurance companies have to pay out.
Overall, I believe that this ruling will be a positive development for the insurance industry. It will force companies to take cyber risk more seriously and it will create new opportunities for insurance companies to grow their businesses.
That’s an interesting point given that we tend to have companies staying private for longer right now.
Yes. I think this ruling could lead to even more companies staying private because if publicly traded companies are subject to more scrutiny, it may be more attractive for companies to delay or forgo an IPO.
However, I also think that this ruling could lead to more innovation in the financial industry. As companies strive to comply with the SEC rule, they will be forced to develop new and innovative security solutions. This could lead to a more secure financial system overall.
It will be interesting to see how this ruling plays out in the years to come. I believe that it has the potential to have both positive and negative impacts on the financial industry. Only time will tell.
Interview by Joanna England
Joanna England is an award-winning journalist and the Editor-in-Chief for Insurtech Insights. She has worked for 25 years in both the consumer and business space, and also spent 15 years in the Middle East, on national newspapers as well as leading events and lifestyle publications. Prior to Insurtech Insights, Joanna was the Editor-in-Chief for Fintech Magazine and Insurtech Digital. She was also listed by MPVR as one of the Top 30 journalist in Fintech and Insurtech in 2023.