Explore Munich Re Group

Get to know our Group companies, branches and subsidiaries worldwide.

Cyber
SEC, CISA or EU: How well is your company coping with cyber laws?
SEC, CISA or EU: How well is your company coping with cyber laws?
© [M] Munich Re [P1] Morsa Images / Getty Images [P2] Rattasak / Getty Images
    alt txt

    properties.trackTitle

    properties.trackSubtitle

    Investors are no longer impressed with financial figures alone. They demand information from companies about the ecological and social impact of their business model. In addition to sustainable corporate development, they also focus on the management of cyber risks. 

    “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” explained Gary Gensler, Chairman of the US Securities and Exchange Commission (SEC). This is why regulators who traditionally have focussed on financial governance have broadened their reach into network security with “Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure” regulations came into force mid-December 2023. Listed companies registered with the SEC are now required to disclose information about their cyber risk management and report “material cybersecurity incidents.”

    We explain what this means in detail below:

    With the new regulation, the SEC equates the level of information available to investors and other external stakeholders with that of management so that there is no unwarranted advantage in favour of management – such as with purchases and sales of company stock. Therefore, companies must now report a cyber incident – the type, the scope and the time of the incident within four business days. The clocks starts to run , once the incident is assessed as “material” by the company.

    Once this assessment has been made, the affected company must report the cyber incident to the SEC using Form 8-K, which already exists for disclosures of material adverse events. For this purpose, Form 8-K was given the additional Item 1.05: Material Cybersecurity Incidents.

    The notification can only be delayed if the US Attorney General determines that disclosure of the attack would pose a significant risk to national security or public safety. The assessment must be provided in writing to the SEC.

    The new requirements also apply to Foreign Private Issuers (FPIs), which must report cyber incidents on Form 6-K. At the same time, the SEC requires the companies concerned to provide annual information on their cybersecurity (for US companies: Form 10-K; for FPIs: Form 20-F).

    The SEC defines a material incident as a matter which “a reasonable shareholder would consider important in making an investment decision.” This means that a material cyber incident will be one which has a significant  impact on a company's business, financial condition, corporate reputation or legal obligations. But material not just from the viewpoint of the impacted company but from the perspective of external stakeholders.

    The SEC definition of materiality of a cyber incident poses challenges for every company. To address the stakeholder perspective, a number of companies are forming cross-functional disclosure committees consisting of executives, board representatives, general counsel, finance staff and representatives of the cyber response teams. In creating a suitable framework, factors to be considered include quantitative and qualitative factors such as:

    • Impact on business operations, on the company's earnings and finances, and expenses related to remediation of the incident
    • Public perception and reputational damage

    In addition, existing internal frameworks, such as business continuity and disaster recovery strategies or incident response strategies, as well as publicly available external frameworks, such as the Factor Analysis of Information Risk (FAIR) Institute Materiality Framework, should be considered when assessing the materiality of cyber incidents. Furthermore, it is crucial that all processes and decision points are properly documented and understandable by regulators.

    SEC rules require companies to be more transparent about their security strategies. This is specified in the added Item 106 of Regulation S-K. Companies must now disclose their procedures for assessing, identifying and managing risks posed by cyberthreats, including past cybersecurity incidents. They must also disclose management involvement and expertise, as well as oversight by the board of directors. This information is required in the annual report on Form 10-K for US companies. FPIs must report comparable information – cybersecurity risk management, security strategy and governance policies – on Form 20-F.
    From the collection and assessment of information by the security and IT teams to the determining the escalation level to the teams reporting to the SEC: Companies should have a defined process for assessing cyber incidents. Managers must insist on a regular cybersecurity risk assessment, take audits and compliance seriously, and address potential issues head on rather than putting them off.

    1. Conduct an SEC readiness assessment

    Safeguard the organization’s reputation and protect against cyber risks while complying with SEC rules:

    • Develop a foundation to evolve response capabilities as threats evolve
    • Identify potential risks and address issues promptly
    • Provide evidence that you are taking steps to comply
    • Understand maturity of incident response, escalation, and reporting processes

    2. Evolve cyber incident response and reporting capabilities:

    Protect the organization’s interests, maintain trust, and strengthen overall cyber resilience:

    • Define materiality criteria and embed in incident processes
    • Continue to meet disclosure obligations as incidents evolve
    • Learn from past incidents and improve resilience
    • Maintain investor confidence and protect shareholder value

    3. Apply stakeholder coordination and orchestration processes

    Develop broad disclosure capabilities that are interconnected:

    • Facilitate timely and appropriate disclosures
    • Combine legal guidance with cybersecurity experience
    • Develop accountability for compliance and disclosure
    • Provide consistent disclosures with transparency

    4. Enhance the cybersecurity governance framework

    Provide shareholders with confidence that cyber is a top organizational priority:

    • Strengthen governance by educating the board and management
    • Foster a culture of responsibility and accountability
    • Implement operating models for risk management
    • Identify board committee or subcommittee responsible for cybersecurity oversight

    The  cyber disclosure regulation increases the responsibility of the Chief Information Security Officer (CISO), the Chief Information Officer (CIO) and/or the Chief Technology Officer (CTO). At the same time, the business, finance, legal and risk teams are required to intensify their collaboration. 

    In addition, the CISO, CIO and/or CTO are the point of contact for:

    • CEO: To ensure that the cybersecurity risk management program has appropriate governance.
    • CFO: With investors in mind, it is important that the risk management program can quickly assess the materiality of incidents.
    • Board and appropriate committees (audit, risk, technology, cyber risk oversight): Data on cyber threats and incidents must be presented to them in an accessible manner.
    • Internal audit: In addition to assessing identified cybersecurity risks and reviewing controls to mitigate them, internal audit is involved in preparing SEC disclosures.
    • Investor relations: To ensure investors have the information they need to make informed decisions.
    • General counsel: Ensuring legal obligations are met. At the same time, they want to minimize legal liability. 
    In the USA: Cyber Incident Reporting for Critical Infrastructure Act (2022)

    Under the Cybersecurity and Infrastructure Agency’s (CISA) proposed rule, companies must report substantial cyber incidents within 72 hours and ransom payments within 24 hours. The companies affected include:

    • any company owning or operating systems the U.S. government classifies as critical infrastructure, such as healthcare, energy, manufacturing and financial services.
    • companies that don’t operate critical infrastructure, but whose systems may be vital to a particular sector, such as service providers.

    CISA is expected to publish a final rule by the end of 2025, with mandatory reporting expected to begin in 2026.

    In the EU: DORA – the Digital Operational Resilience Act

    The European union regulation sets standards that financial companies – such as banks, investment firms, credit institutions, but also crypto-asset service providers – must integrate into their information and communication technology (ICT) systems by January 17, 2025. Additionally, it requires critical external technology services to comply with these standards. The regulation has two main objectives: to comprehensively address ICT risk management in the financial services sector and to harmonize the ICT risk management regulations already in place in the individual EU member states.

    Benefit from Munich Re’s knowhow in cyber risk

    Our strategy is based on understanding cyber risks, assessing them adequately, and providing a sustainable insurance product. We achieve this through close collaboration with insurance and reinsurance experts, external partners, cedants, and clients.

    We offer solutions that transcend traditional insurance and reinsurance. This includes a comprehensive network addressing every aspect of cyber claims, ensuring our clients have quick and direct access to professional service providers.

    Our more than 15 years of experience in this still-uncharted territory demonstrates our commitment. This is how we differentiate ourselves from the competition.

    Experts
    Bob Parisi
    Bob Parisi
    Head of F&C Cyber Solutions, North America