On July 26, 2023, the Securities and Exchange Commission (SEC) voted to adopt new rules on cybersecurity disclosures for publicly traded companies. This ruling has significant implications for public companies and their cybersecurity risk management practices. This article offers you an overview of the SEC cybersecurity ruling and provides you with essential information on how to prepare your organization for compliance.
What the Ruling States
The Securities and Exchange Commission (SEC) has made a momentous move towards enhancing cybersecurity transparency and accountability for public companies in adopting its new cybersecurity regulations. These changes have been made by the SEC in response to the increasing frequency and severity of cyberattacks, recognizing the need for greater visibility into how organizations are managing and mitigating these risks.
Under the new ruling, all publicly traded companies are mandated to disclose information regarding cybersecurity risk management, strategy, and governance on an annual basis. These reports will require registrants to identify items such as their board of directors’ oversight of cybersecurity risks, their process for assessing, identifying, and managing material risks, previous security cybersecurity incidents, and management’s role and expertise in assessing and responding to material risks. This full disclosure is required to be included in the company’s annual 10-K filings.
The SEC’s new ruling also requires companies to disclose any material cybersecurity incident within four business days, providing investors and the public with a clearer visual of the potential risks they face. Disclosure delays will only be granted where the United States Attorney General determines that an immediate disclosure poses a substantial risk to public safety or national security.
Disclosures for risk management, strategy, and governance will be required beginning with the annual filings for fiscal years ending on or after December 15, 2023. For incident reporting, the stringent 4-day disclosure requirement will be effective on or after December 18, 2023 (there is a 180-day deferral period for smaller companies).
What is Required for Incident Reporting?
Publicly traded companies will now be required to include specific details when disclosing information about material cybersecurity incidents. The following details must be included to the extent known at filing:
- When the incident was discovered and whether it is ongoing
- A brief description of the nature and scope of the incident
- Whether any data were stolen, altered, accessed, or used for any other unauthorized purpose
- The effect of the incident on the registrant’s operations
- Whether the registrant has remediated or is currently remediating the incident.
The details pertaining to this disclosure do not extend to specific, technical information about the company’s planned response to the incident or its cybersecurity systems, related networks, and devices, or potential system vulnerabilities in such detail as would impede their response or remediation of the incident.
How to Prepare and Comply
To ensure compliance with the new SEC cybersecurity ruling, organizations need to ensure they are prepared to meet the new requirements. Here are some essential steps for compliance preparation:
- Assess Your Cybersecurity Program: Conduct a thorough assessment of your organization's cybersecurity program to identify any gaps or weaknesses. This assessment should encompass risk assessments, incident response plans, employee training, and vendor management. Update any outdated policies, procedures, and measures to strengthen your cybersecurity posture.
- Enhance Incident Response Capabilities: Implement or improve your incident response plan to ensure it aligns with the new reporting requirements. Work on reducing the time it takes to detect, respond to, and recover from cyber incidents.
- Establish Strong Governance: Ensure that your cybersecurity governance structure is robust and well-documented. This includes clear roles and responsibilities for cybersecurity within the organization and regular board-level oversight.
- Engage Executives and Boards: Cybersecurity should be a top priority for executives and boards, and they must be actively involved in the decision-making process. Regular reporting and updates on cybersecurity matters should be part of the board's agenda.
- Use Sophisticated Tools: Investing in an IT security tool, such as CimTrak, can help organizations identify threats before they hit. CimTrak can provide real-time monitoring, track, and remediate changes, and offer audit-ready forensic reporting, making it easier to comply with the new SEC ruling and meet the stringent four-day timeline.
The SEC's new cybersecurity ruling signifies a step towards greater transparency and accountability in the face of growing cyber threats. For publicly traded companies, compliance with the ruling is crucial to maintain the trust of investors and the public. By understanding the requirements, assessing their cybersecurity programs, and leveraging appropriate security tools, organizations can ensure they are well-prepared to navigate the changing cybersecurity landscape and mitigate potential risks effectively.
August 7, 2023