On December 15, 2023, the United States Securities and Exchange Commission (SEC)’s new rules regarding the disclosure of material cybersecurity incidents went into effect. These rules will have long-ranging implications for both public and private companies, so it’s vital to start preparing as soon as possible.
Here’s what every public and private company should know:
What Are the SEC’s New Rules?
The new SEC cybersecurity disclosure rules mainly focus on data breaches and an organization’s responsibilities towards clients and investors. Data breaches and potential material risks from cybersecurity threats will need to be disclosed within four days of the time they are deemed potentially material.
Of course, this disclosure requirement opens the door to questions about how long companies have to determine potential materiality. The SEC does not give a concrete timeframe for this; instead, they say that materiality must be determined without “unreasonable delay.”
Before materiality can be determined, though, companies must be aware that a breach has occurred. Data breaches can happen in many different ways. Most people, when they hear the word “cybersecurity,” conjure up images of hackers bent over keyboards, wreaking havoc.
However, most leaks happen in much more pedestrian ways: someone in the company clicks on a phishing email or leaves their work laptop unattended at the gym, for example. Self-reporting is a vital part of the cybersecurity program, and it may take time and training to convince employees that it’s better to report an issue than it is to sweep it under the rug. Companies need to realize that they are more than likely going to be held responsible for these breaches and should encourage employees to be open and honest about potential threats.
Why Are New SEC Cybersecurity Disclosure Rules Being Put Into Place?
With the passage of GDPR and similar legislation around the world, it was only a matter of time before the SEC needed to clarify their position on cybersecurity incidents. Data breaches pose a substantial risk to national security and public safety. This ruling makes reporting requirements clearer and establishes a timeline for reporting.
Who Is Affected by the SEC Cybersecurity Disclosure Rules?
As of right now, the new cybersecurity disclosure rules only directly impact publicly traded companies and support companies that have access to a publicly traded company’s data. However, private companies should pay close attention, as the SEC may use publicly traded companies as a bellwether before making across-the-board requirements. It behooves any company or organization to take note.
Companies that access, process, or use data from publicly traded companies need to likewise be prepared to adhere to the new rules. The data does not need to be particularly sensitive. If a company provides any services for a public company that involves data, that company will need to get its cybersecurity response plan in place as well. These support companies may not have the assets to bring on a cybersecurity expert, however, CISOs (chief information security officers) can be hired on a fractional basis. At some point, nearly every company will experience a real or potential data breach. Avoiding a single incident more than pays for the cost of implementing a security program.
What Changes Should Be Made Based on the New Rules?
It depends on how robust a company’s current cybersecurity program is. For some companies that have already invested heavily in cybersecurity, these new rules won’t change much. The main impediment to implementing the new ruling is not so much that there is not enough time to report breaches. Rather, it’s identifying that a breach has happened in the first place. If a company has delayed establishing a cybersecurity program, there’s a lot of work to do in very little time.
If your organization does not have a CISO, now may be the time to hire one. The original language of the SEC rules required that the board of directors disclose their expertise in cybersecurity. For many boards, this expertise amounts to none. Those boards have received a reprieve this time around, as this language was struck in the final rule. However, this language shows that the SEC is interested in the experience brought by boards of directors. For any company looking for a sign that it should consider adding a CISO to its Board of Directors — the SEC has handed it one.
Assuming that a cybersecurity plan exists and is overseen by a CISO, the regulations should not be particularly onerous. The SEC uses form 6-K for domestic companies to file incident disclosures and form 8-K for foreign companies that are publicly traded in the U.S. to report. In addition, information about cybersecurity risk management policies in place will need to be included with annual reports for fiscal years that end on or after Dec. 15, 2023.
The SEC’s new ruling on cybersecurity is intended to improve identification, notification, and amelioration of data breaches and other cybersecurity threats, which continue to be a major cause of concern for organizations, companies, and government agencies. As hackers become more sophisticated in their attacks, more stringent and advanced safeguards must be put in place to combat them. These safeguards begin with the identification of data vulnerabilities and potential breaches.
Depending on the current state of the cybersecurity infrastructure at a company, these new rules could require only minor changes to reporting when incidents occur. If there is an undeveloped or underdeveloped cybersecurity program, however, major changes may be required to be in compliance.
Get in touch with our team to see how our powerful, time-saving technology will help you respond faster to the increasing volume of data breaches, CCPA and GDPR data subject access requests (DSARs), and more.