These regulations mandate publicly traded companies to promptly disclose cybersecurity incidents within four business days of identifying their materiality, alongside reporting on their cybersecurity risk management and governance procedures. This move by the SEC underscores the imperative for businesses to actively manage and report cybersecurity incidents, despite the intricate and firm nature of the .

However, businesses also must address a major issue that the SEC did not discuss in its ruling: the impact of generative artificial intelligence (GenAI) on their cybersecurity functions.

A notable step forward

These regulations mark a notable stride towards enhanced accountability and transparency in addressing cybersecurity risks and incidents. Companies are urged to revisit and enhance their disclosure protocols, conduct thorough cybersecurity risk evaluations, establish comprehensive incident-response strategies, invest in cybersecurity infrastructure and training, and institute clear communication channels to ensure compliance with the new mandates. Although these requirements may seem substantial, businesses should already be prioritizing safeguarding their operations, regardless of regulatory directives from the SEC.

The prevalence of data breaches has been on an upward trajectory for several years, with no sign of abating. For example, , in which tens of thousands of customers had their information compromised in a ransomware attack targeting Infosys McCamish Systems, one of the bank’s service providers, in November 2023. While notifications to customers began in February, potentially exceeding state-mandated notification deadlines, reports indicate that more than 57,000 customers were affected, with exposed data including addresses, names, Social Security numbers, dates of birth, and some banking details.

The pervasiveness of data breaches transcends industries and organizational sizes, inflicting millions of dollars in damages on US businesses. A single data breach’s average cost is $4.45 million, underscoring the pressing need for robust cybersecurity measures across all sectors.

New rules and new risks

The SEC鈥檚 cybersecurity disclosure rules, introduced in July 2023, have transformed how public companies must handle and disclose cybersecurity incidents. While the regulations are multifaceted, here鈥檚 what businesses must understand:听

Swift, comprehensive incident reporting 鈥� Companies must now disclose 鈥渕aterial cybersecurity incidents鈥� within a strict four-business-day window after gauging the severity of the incident. This replaces the less specific 鈥減rompt鈥� reporting standard that often caused delays. Companies must provide in-depth descriptions of the incident, including the attack鈥檚 nature, the systems compromised, the potential effects on business functions and finances, and the company鈥檚 response strategy.

Yearly disclosure of cybersecurity frameworks 鈥� Alongside incident reporting, companies are now obligated to reveal their cybersecurity risk management policies, governance structures, and incident response protocols in their annual reports. This mandate outlines how they evaluate and control material risks from cyber-threats, how their board and management oversee cybersecurity, and how these safeguards fit into the company鈥檚 broader risk management strategy.

Prioritizing investor protection 鈥� These regulations are designed to furnish investors with reliable, up-to-date insights into how companies tackle cyber-risks, fostering increased transparency and responsibility within the corporate world.

The cost of non-compliance 鈥� Although the SEC hasn鈥檛 yet outlined precise penalties for violating the new rules, their enforcement powers are far-reaching. Fines could reach up to $25 million alongside other disruptive actions like cease-and-desist orders or suspension-of-trading privileges. Even more concerning is the increased likelihood of lawsuits from investors or stakeholders if companies neglect to disclose material cybersecurity events. The SEC鈥檚 rules provide a strong basis for activist investors to challenge companies that fail to meet their obligations.

But what about GenAI?

The report is also notable for what it doesn鈥檛 address: the impact of GenAI. Businesses are increasingly adopting GenAI to do everything from customer service to website search. Yet, GenAI is vulnerable to more subtle forms of manipulation from bad actors, such as their ability to corrupt chatbots and AI-powered search to divulge private customer data or provide inaccurate information. The breaches can act like a slow leak in a tire; a business might not become aware of them for quite some time. And yet, the SEC cybersecurity disclosure rules do not address the potentially devastating impact of GenAI breaches.

GenAI cuts both ways, of course. On the plus side, GenAI offers potent tools to combat cybersecurity attacks and sharpen companies鈥� training abilities and even its SEC reporting. However, GenAI has to be actively managed, and companies should remember that human oversight remains vital throughout the process. This includes training the models to generate valid scenarios or report formats and continually verifying the outputs for quality. GenAI can even help with this, flagging potential oversharing in disclosures based on preset guidelines.

Beyond its failure to mention GenAI, the SEC鈥檚 new cybersecurity disclosure rules have had their fair share of critics. One major sticking point is the whole 鈥渕ateriality鈥� issue and the tight reporting deadlines. Companies are expected to figure out if an incident is significant enough to report 鈥渨ithout unreasonable delay鈥� 鈥� then tell the SEC about it within four business days. That鈥檚 a tall order, considering it takes an average of 277 days to even spot and contain most breaches. How are companies supposed to accurately assess the scope of an attack that quickly, without potentially misreporting key details?

Then there鈥檚 the disclosure headache. Companies must walk a tightrope, providing enough information to satisfy the SEC while avoiding revealing so much that they put their security at further risk. It鈥檚 a delicate balance that leaves room for misinterpretation.

Even more concerning are the implications for public and national security. Some experts worry that rushing to disclose incidents could hinder investigations. The SEC鈥檚 rules do offer a loophole 鈥� the U.S. Attorney General can delay disclosure for national security or safety reasons 鈥� but this solution is considered cumbersome and limited.

Despite these criticisms, the rules are law. Companies now face the unenviable task of navigating these complexities as best they can. Indeed, the SEC鈥檚 disclosure rules should be seen not as a burden, but a catalyst for proactive cybersecurity improvement. Businesses that wait until mandatory reporting deadlines to address security are already operating from a position of risk 鈥� and waiting for the SEC to force your hand is a recipe for a future breach.

Company cybersecurity leaders should embrace the opportunity to improve now and stay ahead of the curve.

Functional specifics such as penetration tests, monitoring sites, security awareness training, multi-factor authentication, disaster recovery planning and backups, anti-virus protection, password management, are not and should not be in the vernacular of most legal practitioners. Indeed, these deep technical topics are better left for specialists in the security field.

Yet, some security decision points are primarily business or risk-management oriented. And a certain level of understanding by law firm leadership is important, given, for example, the ethical and professional rules of conduct governing attorney-client relationships.

To that end, one emerging area in the security space that law firms should now consider is cyber-insurance, and the most common types of cyber-insurance include:

• • • Event management 鈥� This coverage is designed for transactional costs associated with a security event, costs such as breach counsel, forensic services, data remediation, notification expenses, and more.
    • Network interruption or other loss of revenue 鈥� As the name suggests, this module covers top-line losses and other additional expenses relating to outages.
    • Extortion 鈥� This coverage applies to expenses related to when one hires a negotiator to interface with hacker or other bad actor, or the literal payment of a ransom (which is not recommended, but that鈥檚 a different topic).
    • Media liability 鈥� This area covers libel, copyright or trademark infringement, slander, defamation, and related media risks.
    • Security & privacy 鈥� This coverage type applies to liabilities to third parties 鈥� clients, business partners, etc. 鈥� related to the breach or theft of confidential data or the transmission of malware via their networks to said third parties.

Why is the cyber-insurance market so disrupted?

Anything relatively new also tends to be somewhat unsettled and dynamic in nature as standard conventions are developed. It鈥檚 no difference for cyber-insurance 鈥� yet the need is there. Quarterly ransomware run rates have seen increases in the range of 100% to 450% over various quarters since Q1 2019, according to a recent study by Aon. Not unexpectedly, there is a corresponding uptick noted in ransomware payments as well.

Indeed, the considerable uptick in these types of incidents far outweighs the counterbalancing fact that the industry is seeing cost reductions driven by a decrease in certain types of privacy and data breach incidents during the same period. Still, there are many underlying reasons the professional services sector is a prime target for cyber criminals, with all law firms, unfortunately, in the crosshairs of bad actors.

What is the outlook for 2023?

Cyber-insurance renewal rates smoothed a bit in 2022, but the sharp uptick in victims during the first part of this year, coupled with the highly contributed to the increase and somewhat offset that positive trend. Market conditions, not surprisingly, continue to be turbulent.

鈥淭he cyber insurance market has been changing rapidly, seeing much higher rates and tighter security controls in the last few years,鈥� says Dustin Bolander, vice president of operations and technology at . 鈥淎s losses decrease in 2023, we’re seeing most insurers take a cautious approach to changes. Law firms are one of the most at-risk industries for cyber-incidents, so cyber-insurance will continue to function as informal regulation for the legal profession.”

In fact, the expectation of more and more cyber-criminals entering the fray in the professional services space creates considerable turbulence and a speculative environment of sorts in the cyber-insurance industry.

How is the application process changing?

The targets set for law firms and other corporate clients by insurance underwriters are sighted on a higher bar than in the past. Key expectations have become more challenging and complete in three main areas:

Security 鈥� This includes tactics such as multi-factor authentication, the creation of domain administration groups and service account restrictions. and securing remote access. Rotating administrative passwords or creating a culture of one-time use credentials are also close cousins to these controls. Many of these restrictions are common in today鈥檚 typical law firm, others a bit less so. Yet, these are all best practices designed to restrict access or raise the bar for authentication.

Monitoring 鈥� This includes technologically oriented activities 鈥� such as endpoint protection and monitoring; frequent patching of equipment such as servers, computers, devices, and more; and email filtering 鈥� all the types of activities designed to protect against virus, malware, and other bad code from entering an environment. The developing areas of SIEM (Security Event and Incident Management) and SOC (Security Operations Centers) offered by third parties that serve the legal sector are other newer trends in the monitoring realm.

Preparation 鈥� This includes primarily administrative steps such as disaster recovery and backup planning and testing, creating incident response plans, conducting penetration tests and vulnerability scans, and executing phishing and cyber-awareness training for employees.

The industry also observes that certain types of vulnerabilities, such as poor email configuration, leaked credentials, and public access ports, greatly contribute to the typical successful cyber-attack.

鈥淲hile the insurance market is a more hospitable place for law firms in 2023, insurers are still asking detailed questions about cybersecurity measures,鈥� says Tom Ricketts, senior vice president and executive director at Aon. 鈥淲e recommend starting your insurance renewal process very early 鈥� four to six months ahead of the renewal date to ensure that you have time to negotiate with insurers and to implement security measures that could positively impact the availability or cost of insurance.鈥�

In terms of how law firms can best work with insurance brokers, industry expert Lynn Watson, Director of Security, Risk & Compliance at law firm , notes the importance of a strong partnership with an insurance broker. “Navigating cyber-insurance certainly is not getting any easier,鈥� Watson explains. 鈥淔inding a good broker and working with them throughout the year to leverage their ongoing insight and exposure to issues, should be a priority. And integrating suggestions is essential for businesses looking for effective insurance cover.”

Overall, the legal profession is experiencing sea changes, most notably in how the number of activities required to secure affordable cyber-insurance rates has dramatically increased in the past few years, especially for law firms with relatively limited technology staffs and resources.

For those law firm executives tasked with securing cyber-insurance for their firm, please be mindful that the increase in cyber-threats and other macro-factors may inject further uncertainty and defense-oriented technology and administrative policy challenges into the process of obtaining cyber-insurance for years to come.