properties.trackTitle
properties.trackSubtitle
Investors are no longer impressed with financial figures alone. They demand information from companies about the ecological and social impact of their business model. In addition to sustainable corporate development, they also focus on the management of cyber risks.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” explained Gary Gensler, Chairman of the US Securities and Exchange Commission (SEC). This is why regulators who traditionally have focussed on financial governance have broadened their reach into network security with “Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure” regulations came into force mid-December 2023. Listed companies registered with the SEC are now required to disclose information about their cyber risk management and report “material cybersecurity incidents.”
We explain what this means in detail below:
What does the SEC's Cyber regulation provide?
With the new regulation, the SEC equates the level of information available to investors and other external stakeholders with that of management so that there is no unwarranted advantage in favour of management – such as with purchases and sales of company stock. Therefore, companies must now report a cyber incident – the type, the scope and the time of the incident within four business days. The clocks starts to run , once the incident is assessed as “material” by the company.
Once this assessment has been made, the affected company must report the cyber incident to the SEC using Form 8-K, which already exists for disclosures of material adverse events. For this purpose, Form 8-K was given the additional Item 1.05: Material Cybersecurity Incidents.
The notification can only be delayed if the US Attorney General determines that disclosure of the attack would pose a significant risk to national security or public safety. The assessment must be provided in writing to the SEC.
The new requirements also apply to Foreign Private Issuers (FPIs), which must report cyber incidents on Form 6-K. At the same time, the SEC requires the companies concerned to provide annual information on their cybersecurity (for US companies: Form 10-K; for FPIs: Form 20-F).
How can companies determine if a cyber event is material?
The SEC defines a material incident as a matter which “a reasonable shareholder would consider important in making an investment decision.” This means that a material cyber incident will be one which has a significant impact on a company's business, financial condition, corporate reputation or legal obligations. But material not just from the viewpoint of the impacted company but from the perspective of external stakeholders.
The SEC definition of materiality of a cyber incident poses challenges for every company. To address the stakeholder perspective, a number of companies are forming cross-functional disclosure committees consisting of executives, board representatives, general counsel, finance staff and representatives of the cyber response teams. In creating a suitable framework, factors to be considered include quantitative and qualitative factors such as:
- Impact on business operations, on the company's earnings and finances, and expenses related to remediation of the incident
- Public perception and reputational damage
In addition, existing internal frameworks, such as business continuity and disaster recovery strategies or incident response strategies, as well as publicly available external frameworks, such as the Factor Analysis of Information Risk (FAIR) Institute Materiality Framework, should be considered when assessing the materiality of cyber incidents. Furthermore, it is crucial that all processes and decision points are properly documented and understandable by regulators.
What information must companies report annually about their cybersecurity?
What is the best way or companies to proceed?
1. Conduct an SEC readiness assessment
Safeguard the organization’s reputation and protect against cyber risks while complying with SEC rules:
- Develop a foundation to evolve response capabilities as threats evolve
- Identify potential risks and address issues promptly
- Provide evidence that you are taking steps to comply
- Understand maturity of incident response, escalation, and reporting processes
2. Evolve cyber incident response and reporting capabilities:
Protect the organization’s interests, maintain trust, and strengthen overall cyber resilience:
- Define materiality criteria and embed in incident processes
- Continue to meet disclosure obligations as incidents evolve
- Learn from past incidents and improve resilience
- Maintain investor confidence and protect shareholder value
3. Apply stakeholder coordination and orchestration processes
Develop broad disclosure capabilities that are interconnected:
- Facilitate timely and appropriate disclosures
- Combine legal guidance with cybersecurity experience
- Develop accountability for compliance and disclosure
- Provide consistent disclosures with transparency
4. Enhance the cybersecurity governance framework
Provide shareholders with confidence that cyber is a top organizational priority:
- Strengthen governance by educating the board and management
- Foster a culture of responsibility and accountability
- Implement operating models for risk management
- Identify board committee or subcommittee responsible for cybersecurity oversight
Who needs to be involved in the process?
The cyber disclosure regulation increases the responsibility of the Chief Information Security Officer (CISO), the Chief Information Officer (CIO) and/or the Chief Technology Officer (CTO). At the same time, the business, finance, legal and risk teams are required to intensify their collaboration.
In addition, the CISO, CIO and/or CTO are the point of contact for:
- CEO: To ensure that the cybersecurity risk management program has appropriate governance.
- CFO: With investors in mind, it is important that the risk management program can quickly assess the materiality of incidents.
- Board and appropriate committees (audit, risk, technology, cyber risk oversight): Data on cyber threats and incidents must be presented to them in an accessible manner.
- Internal audit: In addition to assessing identified cybersecurity risks and reviewing controls to mitigate them, internal audit is involved in preparing SEC disclosures.
- Investor relations: To ensure investors have the information they need to make informed decisions.
- General counsel: Ensuring legal obligations are met. At the same time, they want to minimize legal liability.
Outlook: What other cyber laws do companies need to prepare for?
In the USA: Cyber Incident Reporting for Critical Infrastructure Act (2022)
Under the Cybersecurity and Infrastructure Agency’s (CISA) proposed rule, companies must report substantial cyber incidents within 72 hours and ransom payments within 24 hours. The companies affected include:
- any company owning or operating systems the U.S. government classifies as critical infrastructure, such as healthcare, energy, manufacturing and financial services.
- companies that don’t operate critical infrastructure, but whose systems may be vital to a particular sector, such as service providers.
CISA is expected to publish a final rule by the end of 2025, with mandatory reporting expected to begin in 2026.
In the EU: DORA – the Digital Operational Resilience Act
The European union regulation sets standards that financial companies – such as banks, investment firms, credit institutions, but also crypto-asset service providers – must integrate into their information and communication technology (ICT) systems by January 17, 2025. Additionally, it requires critical external technology services to comply with these standards. The regulation has two main objectives: to comprehensively address ICT risk management in the financial services sector and to harmonize the ICT risk management regulations already in place in the individual EU member states.
Benefit from Munich Re’s knowhow in cyber risk
Our strategy is based on understanding cyber risks, assessing them adequately, and providing a sustainable insurance product. We achieve this through close collaboration with insurance and reinsurance experts, external partners, cedants, and clients.
We offer solutions that transcend traditional insurance and reinsurance. This includes a comprehensive network addressing every aspect of cyber claims, ensuring our clients have quick and direct access to professional service providers.
Our more than 15 years of experience in this still-uncharted territory demonstrates our commitment. This is how we differentiate ourselves from the competition.