[BUDGET AMMO] Jeremy King is a partner at Olshan Frome Wolosky. He wrote an article for Bloomberg where he analyzed cyber risk management issues that companies should prioritize in response to new SEC reporting requirements for cybersecurity incidents and threats.
Here is a quick summary and I suggest you send the link to your InfoSec budget holder so that they can assess the importance. Ransomware is a big deal these days.
New SEC cybersecurity rules are putting the heat on public companies to up their game in risk assessment, loss control, and incident reporting. These rules make it mandatory for companies to report significant cybersecurity incidents within four business days through a Form 8-K disclosure. This isn't just paperwork; it's a legal requirement that could put board members and execs in hot water if they don't comply.
Cyber insurance is becoming a must-have, but the new rules are shaking up the market. Companies need to review their insurance programs, especially with the annual reporting requirements kicking in for fiscal years ending after December 15. Fitch Ratings noted that cyber insurance premiums have soared from $2 billion in 2018 to over $7 billion in 2022. Rates themselves jumped by 15% in Q4 2022.
So, what should companies do? First, get legal advice to design a solid cybersecurity risk management plan. This plan should cover everything from privacy violations to ransomware attacks. Second, scrutinize your Directors and Officers (D&O) insurance policies. Some might not cover cyber incidents, leaving you exposed. Third, make sure your insurance covers not just direct losses but also third-party incidents, like a vendor getting hacked. Lastly, keep your reporting accurate and consistent to meet SEC requirements.
In short, the new SEC rules mean you've got to be more vigilant than ever. It's not just about having cyber insurance; it's about having the right kind and amount, all while keeping the regulators satisfied. Full article: