December 15, 2023, marks a significant shift in the cybersecurity landscape for publicly traded companies. The U.S. Securities and Exchange Commission (SEC) has implemented new cyber incident disclosure rules, requiring companies to be more transparent and timely in their communication of cybersecurity breaches and vulnerabilities.
The SEC announced its new cyber incident disclosure rules on July 26, 2023, when it appeared the rules were effective immediately. Immediately or not, Dec. 15 is now here, and the new rules will be in effect. We covered the new rules on July 31, with some thoughts from InfoSec leaders.
The new rules require publicly traded companies to disclose "material cybersecurity incidents" within four business days. Public companies will also have to share details about their "cybersecurity risk management, strategy, and governance" on an annual basis.
Sam Masiello, CISO at The Anschutz Corporation, had this to say back in July:
"I would expect that many CISOs today are feeling as if their job just got harder and now has a brighter spotlight shining specifically on them. Without requiring the disclosure of cyber expertise in the board room, CISOs who do not feel that they have an advocate today at that level are likely feeling as if they are being put into a more difficult position than they were already in."
What do the new SEC rules entail?
The new rules aim to enhance investor protection and market efficiency by requiring:
- Faster Disclosure: Publicly traded companies must report material cybersecurity incidents within four business days of determining the incident's materiality. This is a significant change from the previous timeframe of "promptly," which often led to delays and inconsistencies.
- Detailed Disclosure: Companies must provide a detailed description of the incident, including the nature of the attack, the affected systems, the potential impact on the company's operations and finances, and the remedial measures taken.
- Risk Management and Strategy Disclosure: Companies must disclose their cybersecurity risk management policies, governance procedures, and incident response plans in their annual reports.
What should companies do to prepare?
With the deadline looming, here are some crucial steps companies can take to ensure compliance:
- Conduct a Cybersecurity Risk Assessment: Identify and prioritize your most critical systems and data, assess your current cybersecurity posture, and identify potential vulnerabilities.
- Develop a Comprehensive Incident Response Plan: Establish a clear and well-defined protocol for responding to cyberattacks, including communication protocols, remediation procedures, and notification processes.
- Review and Update Disclosure Policies: Ensure your disclosure policies are aligned with the new SEC requirements, and train your communication teams on how to effectively communicate cyber incidents to investors and the public.
- Invest in Cybersecurity Tools and Training: Implement robust cybersecurity tools and technologies, and provide ongoing training to your employees on cybersecurity best practices.
- Establish Clear Communication Channels: Designate a point of contact for the SEC and investors to facilitate timely and accurate communication of cybersecurity incidents.
Joshua Brown, VP & Global CISO at H&R Block, had this to say back in July:
"The area where I was disappointed—but not surprised—to see the SEC back off from the original proposal was dropping disclosure requirements for having cybersecurity experience at the board level. While this had the hallmark of being a paper control (a plethora of 'certification' programs has already sprung up), I don't think that having cyber-aware board members is at all a bad thing. The threat of cyber disruption is material and represents a risk to businesses. I would think that boards would want to have that experience, even though it is somewhat difficult to come by. Understanding the nature of the threat and how to appropriately mitigate that risk should be a shared responsibility, not solely the purview of the CISO or CSO. Regardless, the final regulation is a solid step forward for meaningfully increasing transparency while allowing a great deal of flexibility in how companies approach cyber risk management."
The bottom line
The SEC's new cyber disclosure rules are not a mere formality; they represent a significant step toward greater transparency and accountability in the wake of rising cyber threats. By taking proactive measures to prepare, companies can not only comply with the new regulations but also demonstrate their commitment to cybersecurity and protect the interests of their stakeholders.
Additional resources
REALTED: The Record published this article, "FBI explains how companies can delay SEC cyber incident disclosures," saying the FBI has published guidance on how companies can request a delay in disclosing cyber incidents to the SEC. From the article:
"The rules take effect on December 18 (we have seen Dec. 15 and 18 both listed as the date the rules take effect), but smaller companies will have an extra 180 days to comply. The FBI worked with the Department of Justice to create the guidance document for victims about how companies can 'request disclosure delays for national security or public safety reasons.'
The bureau recommends 'all publicly traded companies establish a relationship with the cyber squad at their local FBI field office' and 'strongly encourages companies to contact the FBI soon after a cyber incident is discovered. This early outreach allows the FBI to familiarize itself with the facts and circumstances of an incident before the company makes a materiality determination.'"
