The SEC has been implementing many rules related to how businesses must approach cybersecurity in recent years. These rules should be on your radar, regardless of the size or industry of your organization. Failure to follow can lead to fines and other penalties, not to mention endless headaches and customer complaints when you experience a data breach or other issues.
In recent months, the SEC added a few more details to its sweeping set of rules, this time with the intent of how public companies report cybersecurity incidents. The new rules aim to fortify the protection of customer information, bolster transparency, and help ensure the integrity of markets. As companies adapt to these regulations, it is crucial to understand their implications and take proactive steps to comply with them.
The New SEC Cybersecurity Rules at a Glance
The new SEC rules come into the picture after a late July 2023 vote that narrowly passed a proposal for such changes that had been on the table since the spring of 2022.
The SEC stated that these new rules require “registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.”
Some words from SEC Chair Gary Gensler sum up the intent of these rules nicely and put into perspective the reasoning behind the additions. Gensler says, “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Those words lead right into the heart of the changes as they relate to incident disclosure. Public companies now must report any cybersecurity incident, such as a data breach, within four days of it being known. Organizations need to file a report of the incident on form 8-K. The report needs to be made for any incident the company deems to be material and “describe the material aspects of the incident’s nature, scope, timing, as well as its material impact or reasonably likely material impact on the registrant.”
Four days may seem like a quick turnaround, but these changes intend to help better inform shareholders and the public of the incident directly from the company experiencing them rather than through the press or other sources, as was previously common.
Another facet of the new rules is Regulation S-K Item 106. This requires companies to “describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.”
In other words, this section of the new rules requires companies to provide full disclosure of essentially their entire approach to cybersecurity to provide shareholders and the public a comprehensive look at how this is being addressed at an organizational level. This likely aims to ensure that all companies take effective cybersecurity planning and response measures seriously to benefit themselves and those involved or invested in them. It should be a welcome change for any shareholder wondering what goes on towards these ends behind closed doors.
What the New Rules Mean for Your Business
If you own or operate a publicly shared company, these rules apply directly to you. If you haven’t already been paying close attention to any cybersecurity regulations, now is the time to get on board and in line. These changes aren’t really that dramatic and essentially follow best practices for addressing and dealing with cybersecurity incidents.
The speed of the required response notification time of four days is worth noting, as that is a pretty drastic change. Companies that could once sit on notifications to save face or deal with incident response now need to report the problem before any real remediation possibly begins. That shouldn’t be seen as a bad thing, as most large breaches get published in the press in a similar timeframe.
And there are a few exceptions to the four-day rule that can apply to certain incidents or situations. The disclosure can be delayed if the US Attorney General determines that doing so poses a national security risk or negatively impacts public safety. The AG would notify the SEC if such a risk were on the table. It’s also important to note that this increased reporting and disclosure is required for cybersecurity incidents that are deemed material, or in other words, worth reporting. A small-risk incident that doesn’t expose sensitive data likely doesn’t need to be reported. But the exact wording of what makes an incident material or not is still murky, so it’s best to err on the side of caution.
As always, having a cybersecurity incident and response plan in place will help you navigate these new rules and any others that are sure to appear in the near future. Working with a third-party provider that offers these services will help your organization stay better prepared and allow the advantage of having qualified assistance when quick reporting and other measures need to be adhered to. The pre-breach planning is as crucial as the post-breach regulatory response, and a comprehensive approach to both is essential whether you keep things in-house or have third-party help.
These new SEC rules are yet another example of just how quickly the cybersecurity regulatory landscape is evolving. These rules must be followed, and knowing where to begin can be a complicated process, even for well-established organizations. It’s more critical than ever to establish proper cybersecurity protocols to safeguard your business and keep it in line with all related regulations.
LibertyID Business Solutions provides Business fraud remediation, full pre-breach preparation with custom WISP protocols, post-breach regulatory response, customer, and employee identity fraud restoration management, advanced employee training, and third-party vendor management tools.