In a world where cyber incidents are becoming increasingly more complex and frequent, public companies are navigating a challenging digital landscape. The Securities and Exchange Commission (SEC) has intensified its focus on how organizations manage and disclose these cyber incidents. This shift toward more stringent regulatory oversight requires robust cybersecurity governance and transparent reporting practices, prompting companies to strengthen their risk management strategies.
Recent findings from the QBE 2024 Cyber Insurance Report highlight the prevalent nature of cyber threats, with more than 60% of surveyed risk professionals reporting that they had experienced a cyber event. The report also found that while risk transfer remains a primary concern, the proactive and preventive aspects of cyber insurance—such as incident response planning and breach response services—are not being fully utilized. For public companies, these findings are particularly significant as it highlights the critical need for comprehensive cyber insurance that aligns with regulatory expectations, enhancing cyber preparedness and resilience.
The SEC has revised its approach in response to the increasing number and severity of cyber incidents affecting public companies. Updated regulatory guidance now requires strict disclosure of cybersecurity risks and incidents–both successful and attempted—that could influence an investor’s decision-making process. This aims to protect investors and ensure markets remain fair, orderly and efficient.
“The SEC has increased its focus on cybersecurity especially post event. This may introduce unexpected regulatory gaps in coverage,” said Meredith Brown, SVP, head of U.S. cyber and E&O, QBE North America. “To help ensure organizations are protected, QBE has launched cyber coverage endorsements designed specifically to assist public companies in addressing post event disclosure requirements and enforcement actions prosecuted by the SEC.”
The new endorsements aid companies in complying with SEC reporting obligations following a cyber event. By providing access to expert legal guidance, the coverage helps to ensure accurate and timely preparation of required disclosures. It also extends protection to include SEC actions under Section 13(b)(2)(B) and Rule 13a-15(a). These regulations relate to the sufficiency of internal controls over financial reporting and the effectiveness of disclosure controls and procedures. Standard cyber policies may not adequately address these requirements, leaving a significant gap in coverage. Together, these coverage enhancements ensure comprehensive protection, mitigating potential financial and reputational impacts that could arise from non-compliance.
“Adding critical insurance solutions into broader risk management strategies helps companies comply with regulatory requirements and enhance their organization’s cyber resilience,” added Brown.
Cybersecurity should be a top priority for all companies. Given recent actions by the SEC, companies must proactively review and refine their policies and procedures, including the oversight of third-party vendors. It’s an opportunity to examine incident response plans, internal controls, impact assessments, escalation procedures and disclosures. These regulatory developments also reinforce the role that the insurance industry plays in helping companies manage their cybersecurity risks and the potential reputational and financial impacts. Companies should work closely with their insurance partners to assess their cybersecurity risks to ensure they have the appropriate protection to help strengthen their cyber posture.
QBE makes no warranty, representation, or guarantee regarding the information herein or the suitability of these suggestions or information for any particular purpose. QBE hereby disclaims any and all liability concerning the information contained herein and the suggestions herein made. Moreover, it cannot be assumed that every acceptable risk transfer procedure is contained herein or that unusual or abnormal circumstances may not warrant or require further or additional risk transfer policies and/or procedures. The use of any of the information or suggestions described herein does not amend, modify, or supplement any insurance policy. Consult the actual policy or your agent for details about your coverage. QBE and the links logo are registered service marks of QBE Insurance Group Limited. © 2025 QBE Holdings, Inc.