The U.S. Securities and Exchange Commission (SEC) has been busy trying to protect investors from losing funds due to cyberattacks. As the number of cyberattacks continues to rise, the SEC has taken a hard stance: A breach is an inevitability. To help affected parties, companies need to be prepared and communicate when an incident occurs.
In March of 2022, the Cyber Incident Reporting for Critical Infrastructures Act of 2022 (CIRCIA) was signed into law. The SEC has since proposed additional updates to expand on regulations set by the Cybersecurity Infrastructure Security Agency (CISA) in early 2023. In July, the SEC adopted new rules on cybersecurity risk management, strategy, governance, and incident disclosure. The latest updates apply to all public companies; but, since these iterative regulations have come out in quick succession, it stands to reason that they may be expanded to all companies in the near future. There have, in fact, already been instances of the SEC investigating private companies.
As for the regulations that are currently on the table, companies should start preparing now as the regulations go into effect this December. So what do these regulations say, who do they apply to, and how can a company ensure compliance? We’ll cover all that and more.
What are the new SEC cybersecurity regulations?
The new regulations primarily focus on three things: 1] incident reporting, 2] risk management, and 3] governance. They apply to all companies registered with the SEC, which essentially covers all public companies conducting business in the United States. However, certain regulations extend to a company’s business partners and service providers, meaning that privately held businesses could be affected as well.
At a high level, these rules require companies to disclose material cybersecurity incidents within four days of their occurrence, a considerably shorter time frame than what has historically been expected. It also requires companies to disclose information regarding their cybersecurity risk management, strategy, and governance.
Reporting cyber incidents
When it comes to disclosing any “material” cyber incidents, the SEC rules state that companies must “describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant” within four days of the incident. Companies will report this information on the new Item 1.05 of Form 8-K. Because this window is incredibly tight, it will be essential that businesses have a robust detection and response strategy in place.
Disclosing cybersecurity efforts
The new rules also require registrants to describe their processes for “assessing, identifying, and managing material risks from cybersecurity threats.” Companies must also describe their board of directors’ oversight of cybersecurity threats as well as management’s role and expertise in assessing and handling material risks from cybersecurity threats. This information should be reported on Form 10-K. This means, of course, that every company’s cybersecurity program and strategy (or lack thereof) will now be available to investors, making it an important element that may affect stock prices.
Investors are increasingly looking at the security posture of companies, and they’ll now get a clear view of which companies are doing things right and which aren’t. These regulations also put pressure on boards and executives to become proficient in cybersecurity — fast!
Historically, the SEC has come down hard on companies, so companies that don’t comply with these new regulations can expect to pay hefty fines.
How new SEC rules affect privately held businesses
Although these new rules primarily apply to public companies conducting business in the U.S., there are several ways privately held businesses will be affected. It’s reasonable to expect that most or all private companies will need to comply with these rules in the future. Here’s why:
- Public companies must disclose vendor vulnerabilities: Supply chain attacks are increasingly common. When one company falls, so do its vendors, partners, and clients. To combat this, the SEC requires companies to disclose vulnerabilities created by service providers and business partners. This means that any privately held business that conducts business with a public company will have its security vulnerabilities published. This poses two big problems for privately held businesses:
- If their security posture is too weak, the public company may not want to take on that risk publicly. Instead, they may choose to partner with a vendor that has a more sophisticated security program.
- If a public company reports on a private company’s poor security program, or lack of a security program, that may open the private company to attacks when its vulnerabilities or weak security posture is made public.
- The SEC investigates private companies: Even though its cybersecurity rules have historically been limited to public companies, the SEC has already investigated private companies in relation to data breach issues. Just earlier this year, the SEC subpoenaed law firm Covington & Burling LLP, requesting the names of clients whose information was impacted in a cyberattack. It’s safe to assume that investigations like these will happen again. In other words, any private company may find itself under the purview of the SEC if a cyber incident should occur.
- Compliance has an impact on stock price/IPO: These new rules are likely to have a direct impact on stock prices. Investors review 10-Ks to determine a company’s financial performance before investing in a company. By including information on a company’s security practices on this form, the SEC is saying it sees a direct tie between security posture and monetary value. As investors review these forms, a company’s security posture will likely be a determining factor in their decision to invest. Meanwhile, 8-Ks are meant to notify shareholders of significant events, which now include security breaches.
For any private companies who have plans to go public, it’s safe to assume that their security posture will be scrutinized as part of investor due diligence. A poor security posture and/or minimal cybersecurity strategy may dampen a successful IPO or prevent it altogether if investors are spooked by a poor security posture.
How to prepare for the December deadline
So, how can public and private companies prepare to meet the new SEC regulations by December of this year? That depends on the state of their current security program. With these regulations, the SEC isn’t mandating that certain security protocols be in place, but businesses will need to have a mature security program in order to comply with the four-day reporting rule.
At a high level, businesses need to take three steps:
Invest in the basics
You don’t need a billion-dollar security program to meet SEC requirements — focus on having the basics in place first. To detect and disclose a data breach within four days, companies need sophisticated detection and response capabilities. Your company needs full visibility to ensure you can see bad actors, unauthorized users, or malicious software immediately. That includes endpoint detection and response, advanced email protection, cloud protection, user behavior analytics, training for your teams, and more. It’s then vital to assess your program on an ongoing basis — annually at a minimum.
Build a security culture within your organization
A good security program is more than tools and software. It is a series of processes and procedures that require buy-in from everyone in the company. A vast majority of breaches occur due to human error, so training is a must. The SEC rules also require that boards be well-versed in cybersecurity, meaning now is the time for IT and security teams to take a seat at the table and advocate for the necessary training and tools. By getting buy-in from the board, companies can take a top-down approach to adopting a security-first mindset. On the Defense in Depth podcast, information security expert Steve Zalewski said that the new rules can be seen as guidance on the path to risk maturity. By framing the regulations in this way, they should be a welcome change for businesses lacking the appropriate security controls.
Work with a managed security partner
Without outside help, it’s unrealistic to expect a business with a weak security posture to become cyber resilient by December. Building out a comprehensive security program takes considerable time and expertise. Even with a full in-house security team, it could take years to weed through thousands of security platforms and find the right tools while simultaneously building out the processes and training employees on security best practices. With the right managed security partner, however, businesses can have a good security program in weeks.
With SolCyber, organizations can expect to have a full security program up and running quickly and at a price point they can afford. With our Foundational Coverage and 24/7 monitoring and detection services, SMEs will be fully compliant with SEC standards and can meet the four-day disclosure deadline without missing a beat.
If you need to be compliant with SEC rules by the December deadline or want to get ahead of a potential extension of the rules to cover private companies, reach out to the SolCyber experts today.