The Securities and Exchange Commission's (SEC) final cybersecurity disclosure rules went into effect on September 5, 2023. The annual cybersecurity disclosure associated with the new rules will be required for registrants with fiscal years starting December 15, 2023.

These new rules focus primarily on three key areas:

1. Incident Reporting: Public companies are required to promptly report any cybersecurity incidents that may have a material impact on their operations. This includes breaches, market stability and/or investor confidence. It also requires reporting material cybersecurity incidents on a Form 8-K within four business days, to include the nature of the incident, the impact of the incident and the steps taken to address the incident.
2. Risk Management: Public companies are mandated to perform comprehensive cybersecurity risk management programs. These programs must include regular risk assessments, as well as policies and procedures to address cybersecurity threats effectively. Additionally, companies and organizations are required to appoint a Chief Information Security Officer (CISO) responsible for overseeing and implementing cybersecurity measures and all Board members must play a role in managing and assessing the company’s cybersecurity risk.
3. Third-Party Vendor Oversight: Public companies are now expected to assess the security practices of their vendors and take appropriate measures to help deal with associated risks.

These new rules don’t just apply to ransomware attacks. There are many different types of cyber events that can impact consumer data and potentially impact your clients from a financial standpoint, so they must be prepared.

Having the right cybersecurity protocols in place is no longer a suggestion, but a requirement. Without them, the SEC is entitled to question your way of doing business and investors are able to file lawsuits against the company.

What to Expect Next

Now that the SEC has released regulations for public companies, we expect similar rules are forthcoming for registered investment advisors. New rules for this group will have a much larger impact on the financial industry as a whole.

So, what can insureds do to prepare now? A particular pain point for many investment and financial businesses that can be addressed immediately is email. Threat actors are looking to commit financial fraud in any way they can – the trick is to get the victim to move money from their account to one belonging to the threat actor. And with so much sensitive information being sent back and forth, email can be easily compromised. Be sure to ask your clients if they have policies and procedures in place on how and when to send secure email and if multi-factor authentication (MFA) is required to access company information.

If your clients need something more comprehensive, the New York Department of Financial Services is the gold standard when it comes to implementing a robust cybersecurity plan. Partnering with the Global Cyber Alliance, NYDFS developed a toolkit to help financial institutions keep their information secure. They also have an online learning portal which includes detailed training and resources that can be accessed free of charge.

Takeaway

By enforcing new rules aimed at enhancing protection against cyber threats, the SEC is hoping to tighten the security of financial markets and protect investors. These regulatory updates come as a response to the escalating frequency and sophistication of cyberattacks and are vital to ensuring that financial institutions remain capable of responding to cyber threats quickly and appropriately. Adhering to them is not only a legal obligation but a crucial step toward fortifying the financial industry against future cyber risks.

If you have questions about how to help insureds stay protected against future cyber attacks, reach out to your Amwins broker today.

• Kevin Mekler, Partner with Mullen Coughlin LLC
• Selvin Green, Amwins’ Assistant National Professional Lines Practice Leader