Top Takeaways from the SEC’s New Rules on Cyber Incident Reporting
Date: 28 July 2023
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) released its new set of rules on Cyber Incident Management and Reporting.
In a news release titled “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies”, the organisation has mandated several new norms for how publicly traded companies must report and manage cybersecurity events.
We break down all the information that’s currently available and consolidate it for you in this article. Here’s a look at the key takeaways and what they mean for U.S-listed companies.
#1. Publicise cyber-attacks within 4 days of determining their material impact
As per the new rules, companies registered with the SEC must disclose any cybersecurity incident within 4 days of determining its ‘reasonably likely material impact’. They also have to disclose the nature of the attack, its scope and timing. The only case in which the disclosure may be delayed is if it is determined that this could impact national security and/or public safety.
This rule, proposed in 2022, has now come into effect and is a welcome move. It requires greater transparency from organisations when it comes to how they handle cyber attacks and data breaches.
Improved Cyber Incident Planning and Response has become critical with the new rule coming into effect. Public companies in the U.S will now be required to have a streamlined and effective Incident Response and Management policy if they are to achieve compliance with the new SEC rules.
Oganisations in the U.S. will have to invest greater resources in ensuring they have repeatable, relevant and properly rehearsed Cyber Incident Response Plans and Incident Response Playbooks that they can fall back on for speedy reporting and management
Our CEO, Amar Singh adds, “The new rules will prompt businesses in the U.S to pay more focussed attention on their Cyber Incident Response capabilities and overall cyber resilience. In the U.K, we’ve helped several clients to become capable of responding effectively to and reporting incidents in 72 hours (as mandated by the EU GDPR). With regular compliance initiatives and Tabletop Testing of Cyber Incident Response Plans and Playbooks, reporting incidents with material impact in 4 days should become a part of the muscle memory even for U.S. based organisations.”
“This is definitely a step in the right direction. The increase in number and complexity of attacks each year does erode financial capital and deeply impacts privacy and personal information security of a vast number of individuals. But for many years we’ve seen inertia amongst U.S organisations in informing their customers and shareholders in time even after major attacks. Enforcing stringent reporting and encouraging greater transparency is certainly called for in the current threat landscape.”
#2 Describe internal processes for Assessing and Identifying Risks from Cyber Threats
Registrants will now also have to describe what measures they undertake to assess, identify and manage cybersecurity risks. This will also entail descriptions of material impact of past cyber threats and/or incidents.
This rule has again put Cybersecurity Risk Management, Governance and Compliance at the forefront. While several organisations already demonstrate a commitment to their Cybersecurity Risk Management Framework, this ruling will add renewed vigour to efforts in this direction. Further, the enhanced visibility into what publicly listed companies are doing to address the ever-growing cybersecurity challenge will only bolster investor sentiment.
With the right set of cybersecurity policies and procedures, audits plans and assessments and a solid information security strategy, several of our clients have been able to vastly improve their cybersecurity posture over just a few months.
With the new ruling of the SEC, there will definitely be an uptick in the number of organisations in the U.S. and abroad who refresh their approach to Cyber Risk Management and Cybersecurity Governance.
#3 Provide Details of the Management’s Expertise in Cybersecurity Risk
While the initial proposal suggested that each company must have a cybersecurity expert on the board, the new rules released ask organisations to describe their management’s involvement and oversight of cybersecurity risks. It has also asked for listed companies to report the management’s expertise in managing the material impact of cybersecurity risks.
Several experts have drawn attention to the fact that the SEC doesn’t define what kind of expertise it expects to see in the boards of companies. However, they believe that the move is meant to create a focus on cybersecurity expertise at the C-level at least.
Amar Singh adds, “Cybersecurity is often given a painfully low level of attention, even at large public organisations. The SEC doesn’t clearly say what skills or certifications the board members or management should have. The idea is to create a healthy competition within industries to push the bar a bit in terms of cybersecurity expertise. If one organisation does go ahead and onboard a highly experienced CISO, chances are others will too to avoid letting their stock price suffer. In the end, it’s the company and the investor who will win and hopefully, the advanced attacker who will get the short end of the stick.”
#4. Foreign Issuers operating in the U.S. to comply with the same rules
The press release on the new SEC Incident Reporting Rules also specifies that Foreign companies that are listed with the SEC will have to comply with the same Incident Reporting rules.
Not only will the organisations that maintain a secondary listing in the U.S, have to adhere to the 4-day reporting deadline, they will also need to provide descriptions of their cybersecurity risk, governance and compliance practices in Form 10-K.
The new rules of the SEC have, like all new regulations, apparently received mixed feedback from all stakeholders. While some have brought up the increased compliance burden this may create for some organisations, we at Cyber Management Alliance believe that enhanced compliance requirements are indeed the need of the hour.
Standardised disclosures with respect to cybersecurity practices as well as reporting of cyber incidents will definitely bring in more transparency and coax organisations to streamline resources, re-energise their Incident Response teams and ensure better overall outcomes for their shareholders.
Comparable disclosures and descriptions of cybersecurity practices are also likely to spur a healthy competition and promote faster adoption of cybersecurity best practices across businesses in a particular industry.
More information in the public domain means better informed decisions for the common citizen. It also means a renewed focus on cybersecurity compliance. This move is also certainly going to prompt better security practices which will have a direct bearing on the financial prospects of a business. Last word from us - this was a long time coming!