As public companies’ reliance on remote work, cloud computing and digital payments increases, so too does the cybersecurity risk. Recognizing this, the SEC finalized rules and regulations in September 2023 requiring new cybersecurity-related disclosures from public companies. In prior efforts to improve consistency and accuracy of public company cybersecurity risk disclosures, the SEC issued interpretive guidance explaining how cybersecurity risk and incidents should be communicated based on longstanding requirements to disclose material information periodically to shareholders. But in the SEC’s view, corporate disclosure practices were inconsistent. Under-disclosure persisted and investors lacked consistent information by which they could evaluate public companies’ cybersecurity risk.
The SEC now requires enhanced and standardized cybersecurity risk disclosures for all periodic SEC filers, including foreign private issuers and smaller reporting companies. Public companies must disclose certain cybersecurity incidents, as well as information about cybersecurity risk management, strategy and governance.
Read on to learn about the potential exposure public companies face and how this exposure risk fits within the framework of a company’s D&O and cyber insurance programs. How can a company ensure its insurance policies will appropriately protect its balance sheet and its directors and officers from potential SEC investigations and shareholder litigation?