In July of this year, the SEC approved new cybersecurity disclosure rules for public companies, titled “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies.” The regulations require companies that are subject to reporting requirements of the Securities Exchange Act of 1934 to disclose “material” cybersecurity incidents within four business days of determining that a “material” cybersecurity incident has occurred. Alongside specifying details about the nature, scope and timeframe of the incident, these rules also require companies and their boards of directors to articulate their overall assessment and governance of cybersecurity risks.1
Just two weeks ago, the SEC charged SolarWinds – and alarmingly, its Chief Information Security Officer, Timothy Brown – alleging they defrauded and misled investors about its cybersecurity stature. The SEC alleged SolarWinds and Brown overstated their cybersecurity practices while downplaying known risks and exploits for several years. Allegations were also made that SolarWinds and Brown knew of various vulnerabilities but failed to address them adequately and disclose those vulnerabilities to investors.2
The SEC’s charges against SolarWinds highlight a hawkish stance that will likely be applied to the new cybersecurity disclosure rules and are a stark reminder to all companies — privately held and publicly traded — to exercise a heightened duty not just in evaluating but communicating cybersecurity risks.
INSUREtrust recently announced its launch of Cyber Pre-Check, the innovative entryway policyholders are taking to secure better cyber insurance premiums and manage cybersecurity risk. By leveraging this platform to review existing cybersecurity controls, organizations can better understand potential gaps and learn how to supplement existing controls with vulnerability scans of their network’s perimeter, peer benchmarking data, disaster scenario models, and a digital asset inventory. By leveraging INSUREtrust’s digital risk quantification tools in Cyber Pre-Check, organizations can become more equipped to mitigate risks and communicate cybersecurity risk to its employees, investors, and insurers.
- Will Tschetter is an Assistant Vice President with INSUREtrust.
- Sarah Rugnetta, Partner at Constangy, Brooks, Smith & Prophete, LLP serves as a vice chair of the Constangy Cyber Team and practices in New York.
- SEC Adopts New Cybersecurity Disclosure Rules, Forbes, July 27, 2023. https://www.forbes.com/sites/betsyatkins/2023/07/27/sec-adopts-new-cybersecurity-disclosure-rules/
- US SEC charges SolarWinds and its CISO for alleged cybersecurity misstatements and controls failures, Norton Rose Fulbright Data Protection Report, 2023. https://www.dataprotectionreport.com/2023/11/us-sec-charges-solarwinds-and-its-ciso-for-alleged-cybersecurity-misstatements-and-controls-failures/