Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.   RIMS Risk Management Magazine Managing Editor Hilary Tuttle rejoins RIMScast to discuss new cyber incident reporting policies issued by the SEC. (Press release: sec.gov/news/press-release/2023-139.) Hilary talks about the key role that governance plays in the SEC’s announcements and how risk managers need to put this on their radar and even use it as an opportunity to demonstrate their value to the organization. Hilary also discusses a cyber insurance market outlook for the latter half of 2023.   Key Takeaways: [:01] About RIMScast and the RIMS App, an exclusive benefit for RIMS members. [:32] About today’s episode, where we will discuss some major cyber reporting news with RIMS Risk Management Magazine Managing Editor, Hilary Tuttle. [:58] All about exciting, upcoming RIMS events! Registration is open for the RIMS Canada Conference 2023, which will be held September 11th–14th in Ottawa! Visit RIMSCanadaConference.ca for more information. [1:19] On September 14th, the Spencer Educational Foundation returns to New York City for its Annual Funding Their Future Gala. The event will be held at the Cipriani on 42nd Street. A link is on this episode’s notes. You can also visit SpencerEd.org. [1:36] The RIMS Western Regional Conference will be held October 4th–6th in Vail, Colorado. Visit RIMSWesternRegional.com for more information and to register. [1:48] Head to the RIMS.org/Advocacy page to find information about The RIMS Legislative Summit, which is returning to Washington, D.C. on October 25th and 26th. [2:02] We are very excited about the RIMS ERM Conference 2023, which will be held November 2nd and 3rd in Denver, Colorado! The theme is Elevate and Evolve. Registration will open soon as will a call for nominations for the ERM Award of Distinction. Visit the events page on RIMS.org for more information. [2:25] We are accepting educational session submissions for RISKWORLD 2024. See the link to the online submission form in this episode’s notes. RISKWORLD 2024 will be held May 5th–8th in San Diego! [2:44] Cyber is on our radar here at RIMScast! In July 2023, The United States Securities and Exchange Commission issued new rules for cyber incident reporting as well as guidance for cybersecurity governance. I asked my colleague Hilary Tuttle to join us here on RIMScast. Hilary is the RIMS Risk Management Magazine managing editor. [3:16] Hillary is our resident authority on cyber. She’s been reporting on it for years. She’s here to tell us what’s going on and what you need to know if you are a business leader, risk manager, or chief technology officer when it comes to these new reporting guidelines. [3:45] Justin welcomes Hilary Tuttle back to RIMScast. Justin says he thinks of Hilary Tuttle when he sees cyber news. [4:10] The big news is the United States SEC adopted some controversial new cybersecurity reporting rules and we need to talk about them. There’s the hook, and then there’s the deeper understanding of what’s going on. First, we’ll talk about the hook. [4:38] Hilary says organizations are going to have to report to the SEC any cyber incident within four days of assessing the material financial impact of an incident. A material financial impact is financial losses or a significant impact on a company’s financial performance or results. This may be a reputation risk with a potential dip in stock price. [5:34] The SEC has not stipulated what qualifies as a significant impact on a company’s financial performance or results. The rule on incident reports starts in December 2023. The rule on incidents that must be reported in annual reports starts in fiscal years beginning in 2024. [6:31] Organizations have to establish that an incident happened. Was there data exposure? Was there a loss? Was there a disruption or outage because of a malicious actor? The forensics on these questions is what takes time