The SEC has adopted new cybersecurity disclosure rules. This blog will tell you everything you need to know to prepare appropriately and timely.
Last month, the SEC published a press release announcing new cybersecurity risk management, strategy, governance, and incident disclosure rules for public companies. These new rules represent the SEC’s desire to increase the transparency of cybersecurity incidents – particularly for investors – and encourage public companies to improve their security posture.
What are the key dates?
- March 8th, 2022 – The SEC proposes new cybersecurity disclosure rules
- March 9th, 2022 – The comment period for proposed rules closes
- February 9th, 2023 – The SEC reopens the comment period
- April 11th, 2023 – The comment period closes for the final time
- July 26th, 2023 – The SEC votes 3-2 to adopt the new rules
- December 1st, 2023 – The date from which regulators will enforce the new rules
What do the rules require?
The new rules require public companies to disclose cybersecurity incidents within four business days of confirming that the incident is material. The SEC defines a material cybersecurity incident as one where “there is a substantial likelihood that a reasonable shareholder would consider it important.” These rules are intended to ensure that public companies promptly inform investors about cybersecurity incidents that could influence investment decisions, protecting investors from the financial risks associated with such incidents.
Under the new rules, public companies must disclose the following information regarding a cybersecurity incident:
- Its nature
- Its impact on the victim’s business
- What steps the victim has taken to address the incident
- The victim’s cybersecurity risk management policies and procedures
- The board of directors’ oversight of cybersecurity risk, including its cybersecurity expertise and role in assessing and managing risk
What are the consequences of non-compliance?
Failing to comply with the new SEC rules could result in SEC penalties, investor lawsuits, and reputational damage. Small businesses can hardly withstand the financial pressure this situation creates, and depending on the severity of the breach, they may shut down for good even after as little as a single incident. Bigger businesses, on the other hand, are more likely to be concerned with the reputational damage.
How can you prepare?
One of the most important steps an organization can take to prepare for the new rules is determining what “material” means. While we laid out a brief definition above, compliance relies on a deeper understanding of the term. Organizations must think deeply about what an investor would want to know about a cybersecurity incident, most notably: Would an investor consider the incident important enough to impact an investment decision? If yes, the incident is material, and the SEC must be notified.
Organizations should also consider:
- Financial impacts
- Reputational impacts
- Customer relations
- Vendor relations
- Regulatory compliance
Having an effective incident response team is essential to ensure that you can provide the necessary information in the short four-day window. Whether you employ an in-house team or keep a dedicated incident response team on retainer, they mustn’t be hired when an incident occurs but long before. Sourcing an incident response team after you have been attacked will not only slow down remediation efforts, it will likely prevent you from providing the SEC with the necessary information before the deadline.
As we’ve already covered, public companies must disclose the board of directors’ cybersecurity risk oversight under the new SEC rules. As such, affected organizations must immediately bring the board to a satisfactory cyber literacy level. Cybersecurity awareness training programs are an excellent way to achieve this, but bringing in outside experts could be worthwhile if the board’s cyber literacy is especially poor. Alternatively, the board might assign a specific committee to own cybersecurity oversight.
Who’s responsible for what?
Organizations must also understand each department’s compliance role. Try and stick to the following guidelines:
- CEO/CFO – Takes responsibility for the completed disclosed cyber risk management platform
- Board of Directors – Responsible for identifying committees for effective oversight and overseeing cybersecurity risk.
- CIO/CISO/Technical Teams – Responsible for:
- Defining a Cybersecurity Framework
- Implementing cybersecurity policies and procedures
- Understanding the reporting process
- Assessing and managing material risk
- Legal – Takes responsibility for documenting whether an incident was material and justifying conclusions to the SEC
- Internal Audit – Responsible for assessing whether the company is ready to disclose an incident and running tabletop exercises to test preparedness.
What Questions Should You Ask?
Organizations must also answer the following questions as soon as possible:
- What reporting processes are in place?
- How much information can we disclose without revealing confidential cybersecurity procedures?
- Are we positioned to report incidents within four days?
- Are we prepared to respond to a cybersecurity incident?
But, most importantly, organizations must have robust cybersecurity measures in place. Running risk assessments, implementing MFA, access controls, network, and endpoint security, educating staff, and practicing timely patch management will all significantly decrease the likelihood of falling afoul of a cyberattack and – considering public companies now must disclose cybersecurity risk assessments – could even raise your stock price.
ITEGRITI has deep experience across critical infrastructure cybersecurity programs, compliance, risk, and audit. Contact us today to learn how we can leverage this experience to help you accomplish your cybersecurity goals.
Contact Us: https://itegriti.com/contact/
ITEGRITI Services: https://itegriti.com