The SEC’s Proposed Cybersecurity Rules – Do Enhanced Obligations Need Enhanced Insurance?
31 March 2022
The Securities and Exchange Commission (SEC) announced on 9 March 2022 proposed rule changes, to enhance and standardise disclosures around cybersecurity risk management and incident reporting. This is just the latest in a number of SEC releases, with the SEC’s Chair announcing in January 2022 that the SEC was focused on expanding its oversight around cybersecurity and considering a range of new rules and guidance.
The rules remain in draft, but if adopted the proposals will have a significant impact on the asset management industry. In this note we consider the potential insurance implications both of these changes, and similar regulatory interventions elsewhere.
What has the SEC said?
The SEC Chair, Gary Gensler, indicated that the most recent proposals are intended to ensure that investment advisers and public funds provide cybersecurity disclosures “in a consistent, comparable and decision-useful manner”. The amendments would require periodic reporting of:
- current updates about previously reported cybersecurity incidents;
- policies and procedures in place to identify and manage cybersecurity risks;
- board level oversight of cybersecurity risk, and their cybersecurity expertise; and
- management’s role and expertise in managing cybersecurity risk and implementing cybersecurity policies and procedures.
The detailed accompanying rules also modify existing Form 8-K reporting requirements, to include reporting of material cybersecurity incidents to the SEC within four business days. This applies once the incident is determined as material, so not necessarily from the point of first discovery – although the rules include a non-exhaustive list of events that may trigger disclosure. The aim of this is to better inform investors about public companies’ risk management, strategy and governance, and to improve incident reporting.
This supplements earlier SEC releases and proposed rules from February 2022, which focused on SEC registered investment advisers, investment companies and business development companies. There the SEC proposed to require covered entities to adopt policies and procedures to address cybersecurity risks, to report significant incidents to the SEC within 48 hours of discovery, and to provide enhanced disclosure and books and records maintenance around cybersecurity risks and incidents.
What’s the Impact?
If adopted, the series of SEC proposals will require a very significant increase in focus by regulated entities on cybersecurity. The reporting and disclosure requirements go well beyond those currently in place, which are mainly focused on breaches of personally identifiable information. A dissenting SEC Commissioner has argued that the changes “embody an unprecedented micromanagement by the Commission of the composition and functioning of both the boards of directors and management of public companies”. Regulated entities will need to develop appropriate cybersecurity policies and procedures, which is sensible. However the Commissioner’s view is that this should be left to the corporate management who know the business best, rather than dictated by the SEC via certain preferred approaches set out in the proposals.
The proposals would also require companies to report cyber incidents to the SEC in a shorter timeframe than required under data privacy regulations such as GDPR (72 hours). This work is needed in the midst of responding to the cyber incident itself, and potentially before the actual materiality of the incident can be properly assessed. This rule change, in particular, is therefore likely to present a practical challenge.
The SEC proposals also reflect a general regulatory trend towards focus on cyber risk management and disclosures. The FCA has been similarly focused on proposals to ensure operational resilience in the financial sector, with new rules and guidance coming into effect on 31 March 2022.
What’s the insurance position?
Ultimately, the SEC proposals enhance reporting requirements which are pre-existing. This may increase the risk of reporting failures, and so of regulatory investigations or third party claims. However it shouldn’t inherently change the nature of insurance cover needed. Good cover should already respond in those circumstances. Two areas, however, where additional focus may be needed are:
- The benefits of cyber insurance – a cyber policy is an increasingly frequent purchase, given heightened awareness of risks around data breaches, ransomware attacks and other cyber incidents. However it may now also be considered as a protective measure from a regulatory and market standpoint. Having a cyber policy in place can form part of regulated firms’ response to the SEC proposals, evidencing management of cybersecurity risks and ability to access relevant expertise.
- ‘Silent cyber’ – this is the term used to describe potential cyber exposures within traditional property or liability insurance policies, where cyber coverage is neither explicitly excluded nor clearly included. The Prudential Regulatory Authority and Lloyd’s have required insurers to put into action plans to reduce these unintended or unclear exposures. As a result, insurers have taken steps to exclude or affirm cyber cover in professional indemnity policies, particularly via model clauses developed by the Lloyd’s Market Association (LMA). The base LMA forms exclude cover for regulatory investigations arising from certain cyber incidents. They may therefore operate to restrict cover if there is an SEC investigation following delayed reporting of an incident, for example. However terms do vary, so it will be important for firms to consider the implications under their own insurance cover.
There is an ongoing and inevitable regulatory shift towards a focus on cyber risk management, operational resilience, and improved market disclosures. The SEC is now at the forefront, and their proposals will place an additional burden on regulated entities. That should not, however, translate into a significant additional burden on their insurance purchasing – save for assessing the ‘silent cyber’ position. Indeed, obtaining cyber insurance may be one route to complying with the SEC requirements.