The U.S. Securities and Exchange Commission (SEC) has issued its new cybersecurity rule, which aims to enhance transparency and accountability in managing cyber risks. The rule requires businesses to promptly report any material cyber breaches within four business days. Additionally, companies are obligated to disclose their processes for managing cybersecurity risks. The SEC asserts this will ensure that investors and the public are informed about potential threats to business operations and sensitive data.
One challenge is that the rule does not define what constitutes a “material” cyber breach. This means that businesses will have to make their own determination of materiality, which could lead to inconsistent reporting and enforcement. Additionally, the rule does not specify the type of information that must be disclosed in a material cyber breach report. This could lead to businesses disclosing too much or too little information, which could also impact insurance coverage. Disclosure also opens up firms to litigation, including class action suits.
The new cybersecurity rule has significant implications for cyber insurance policies. Failure to comply with the SEC’s reporting requirements may result in coverage exclusions, leaving businesses exposed to financial loss in the event of a cyber breach. Insurers are likely to scrutinize a company’s compliance record when underwriting policies, potentially leading to higher premiums for non-compliant businesses.
Businesses will face challenges complying with a cybersecurity rule issued by the U.S. Securities and Exchange Commission late last month that gives them just four business days to report material cyber breaches, experts say.
Source: SEC cyber reporting rule presents compliance, insurance complexities – Business Insurance