The U.S. Securities and Exchange Commission (SEC) has been busy trying to protect investors from losing funds due to cyberattacks. As the number of cyberattacks continues to rise, the SEC has taken a hard stance: A breach is an inevitability. To help affected parties, companies need to be prepared and communicate when an incident occurs.
In March of 2022, the Cyber Incident Reporting for Critical Infrastructures Act of 2022 (CIRCIA) was signed into law. The SEC has since proposed additional updates to expand on regulations set by the Cybersecurity Infrastructure Security Agency (CISA) in early 2023. In July, the SEC adopted new rules on cybersecurity risk management, strategy, governance, and incident disclosure. The latest updates apply to all public companies; but, since these iterative regulations have come out in quick succession, it stands to reason that they may be expanded to all companies in the near future. There have, in fact, already been instances of the SEC investigating private companies.
As for the regulations that are currently on the table, companies should start preparing now as the regulations go into effect this December. So what do these regulations say, who do they apply to, and how can a company ensure compliance? We’ll cover all that and more.
The new regulations primarily focus on three things: 1] incident reporting, 2] risk management, and 3] governance. They apply to all companies registered with the SEC, which essentially covers all public companies conducting business in the United States. However, certain regulations extend to a company’s business partners and service providers, meaning that privately held businesses could be affected as well.
At a high level, these rules require companies to disclose material cybersecurity incidents within four days of their occurrence, a considerably shorter time frame than what has historically been expected. It also requires companies to disclose information regarding their cybersecurity risk management, strategy, and governance.
When it comes to disclosing any “material” cyber incidents, the SEC rules state that companies must “describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant” within four days of the incident. Companies will report this information on the new Item 1.05 of Form 8-K. Because this window is incredibly tight, it will be essential that businesses have a robust detection and response strategy in place.
The new rules also require registrants to describe their processes for “assessing, identifying, and managing material risks from cybersecurity threats.” Companies must also describe their board of directors’ oversight of cybersecurity threats as well as management’s role and expertise in assessing and handling material risks from cybersecurity threats. This information should be reported on Form 10-K. This means, of course, that every company’s cybersecurity program and strategy (or lack thereof) will now be available to investors, making it an important element that may affect stock prices.
Investors are increasingly looking at the security posture of companies, and they’ll now get a clear view of which companies are doing things right and which aren’t. These regulations also put pressure on boards and executives to become proficient in cybersecurity — fast!
Historically, the SEC has come down hard on companies, so companies that don’t comply with these new regulations can expect to pay hefty fines.
Although these new rules primarily apply to public companies conducting business in the U.S., there are several ways privately held businesses will be affected. It’s reasonable to expect that most or all private companies will need to comply with these rules in the future. Here’s why:
For any private companies who have plans to go public, it’s safe to assume that their security posture will be scrutinized as part of investor due diligence. A poor security posture and/or minimal cybersecurity strategy may dampen a successful IPO or prevent it altogether if investors are spooked by a poor security posture.
So, how can public and private companies prepare to meet the new SEC regulations by December of this year? That depends on the state of their current security program. With these regulations, the SEC isn’t mandating that certain security protocols be in place, but businesses will need to have a mature security program in order to comply with the four-day reporting rule.
At a high level, businesses need to take three steps:
You don’t need a billion-dollar security program to meet SEC requirements — focus on having the basics in place first. To detect and disclose a data breach within four days, companies need sophisticated detection and response capabilities. Your company needs full visibility to ensure you can see bad actors, unauthorized users, or malicious software immediately. That includes endpoint detection and response, advanced email protection, cloud protection, user behavior analytics, training for your teams, and more. It’s then vital to assess your program on an ongoing basis — annually at a minimum.
A good security program is more than tools and software. It is a series of processes and procedures that require buy-in from everyone in the company. A vast majority of breaches occur due to human error, so training is a must. The SEC rules also require that boards be well-versed in cybersecurity, meaning now is the time for IT and security teams to take a seat at the table and advocate for the necessary training and tools. By getting buy-in from the board, companies can take a top-down approach to adopting a security-first mindset. On the Defense in Depth podcast, information security expert Steve Zalewski said that the new rules can be seen as guidance on the path to risk maturity. By framing the regulations in this way, they should be a welcome change for businesses lacking the appropriate security controls.
Without outside help, it’s unrealistic to expect a business with a weak security posture to become cyber resilient by December. Building out a comprehensive security program takes considerable time and expertise. Even with a full in-house security team, it could take years to weed through thousands of security platforms and find the right tools while simultaneously building out the processes and training employees on security best practices. With the right managed security partner, however, businesses can have a good security program in weeks.
With SolCyber, organizations can expect to have a full security program up and running quickly and at a price point they can afford. With our Foundational Coverage and 24/7 monitoring and detection services, SMEs will be fully compliant with SEC standards and can meet the four-day disclosure deadline without missing a beat.
If you need to be compliant with SEC rules by the December deadline or want to get ahead of a potential extension of the rules to cover private companies, reach out to the SolCyber experts today.