The SEC Cybersecurity Rules Are Now Effective – What You Need to Know

During the final week of July 2023, the U.S. Securities and Exchange Commission (SEC) unveiled new regulations focused on the reporting of cybersecurity events. This development coincides with a period marked by unprecedented levels of cyberattacks and their associated financial repercussions, highlighting the need for heightened vigilance across various sectors. Starting from the effective date of December 18th, 2023, companies that are publicly traded must now report significant cybersecurity breaches to the U.S. Securities and Exchange Commission (SEC).

The SEC’s New Cybersecurity Disclosure Requirements

The US Securities and Exchange Commission (SEC) has implemented new regulations, effective December 18, 2023, focused on improving the transparency and standardization of cybersecurity risk management, strategy, governance, and incident reporting for companies governed by the Securities Exchange Act of 1934, including those based internationally. These rules mandate companies to not only report significant cybersecurity incidents but also annually disclose their procedures for evaluating, recognizing, and handling potential cybersecurity threats and past incidents. This also involves detailing the involvement of their board and management in these cybersecurity initiatives.

Key Points

Incident Reporting: Starting December 18, 2023, all companies (except smaller ones) must report significant cybersecurity incidents swiftly using Form 8-K or Form 6-K. Smaller companies have a grace period of 270 days. The reporting must include a detailed description of the incident's nature, scope, timing, and its potential or actual impact on the company's operations and finances. However, companies are not required to share technical details that might hinder their response to the incident.

Delay in Disclosure: If deemed necessary for national security or public safety, the US Attorney General can authorize a delay in reporting up to 30 days, extendable twice under exceptional circumstances. Companies are advised to coordinate with the FBI and provide detailed information about their response to the incident for this purpose.

Annual Risk Management Disclosure: For fiscal years ending on or after December 15, 2023, companies must include in their annual Form 10-K or Form 20-F reports detailed information about their internal processes for managing cybersecurity risks. This encompasses board oversight, management’s role, the expertise of responsible individuals, their process for monitoring and preventing incidents, and how these risks are communicated to the board.

Applicability to Foreign Private Issuers: These new requirements also apply to foreign private issuers, who must report cybersecurity incidents as per their local laws and disclose their risk management processes in their Form 20-F filings.

Does the SEC Cyber Rule Require an Assessment?

Although the new SEC cyber disclosure rule doesn't explicitly mandate an IT risk assessment, it introduces Item 106 in Regulation S-K. This item necessitates that companies disclose in their annual Form 10-K report their methods for handling cybersecurity threats. This includes outlining their processes for assessing, identifying, and managing such risks, and whether these risks, including those from past incidents, have significantly impacted or are likely to impact the company. It also requires information about how the board oversees these risks and the management's role in this process.

The rule's objective is for companies to inform investors adequately about their cybersecurity practices without revealing details that might expose them to future cyberattacks. Specifically, companies need to disclose if they have systems in place for managing cybersecurity risks, particularly those related to third-party service providers. They must also reveal if they work with external experts like assessors, consultants, or auditors in these processes and how these cybersecurity practices are incorporated into their broader risk management strategies.

How Often Does the SEC Do Cyber Audits?

The SEC itself does not directly conduct cybersecurity audits of organizations. However, the SEC does play a significant role in regulating and enforcing cybersecurity disclosures and practices among publicly traded companies.

The SEC's focus is typically on ensuring that companies are complying with relevant disclosure rules regarding their cybersecurity risks and incidents. This involves reviewing the disclosures made by companies in their filings and taking enforcement action if a company is found to be non-compliant with SEC rules and regulations, which can include inadequate disclosure of cybersecurity risks or incidents.

For audits and assessments of cybersecurity practices, companies usually engage independent third-party auditors or cybersecurity experts. These external audits are often part of a company's efforts to ensure compliance with various regulations, including SEC requirements, and to strengthen their cybersecurity posture.

Penalty for Failing to Comply with the New SEC Cyber Rule

It's absolutely essential for companies to follow the SEC's cybersecurity guidelines. Neglecting these rules can result in some pretty hefty fines and legal issues. But it's not just about money; a company's reputation and the trust it holds with shareholders are also on the line. In 2023, the SEC really cracked down on this, carrying out 784 enforcement actions and doling out financial penalties totaling $5 billion. They even went as far as reimbursing $1 billion to investors who had been impacted. These actions covered everything from big-time fraud to cybersecurity threats that affected the crypto market.

For example, back in 2021 a London-based public company got hit with a $1 million fine by the SEC. They were penalized for not being upfront with investors about a cybersecurity breach two years prior and not keeping up with the SEC's disclosure standards. But they weren't the only ones caught out. A real estate settlement firm got fined $487,000 in the same year for not having proper controls in place around cybersecurity risks. They had a breach that ended up leaking customer data. These cases highlight how serious the SEC is about cybersecurity compliance and the heavy consequences for companies that do not comply.

Complying with the New SEC Cybersecurity Reporting Rules

Adapting to the SEC's new cybersecurity regulations will likely require organizations to modify their current cybersecurity practices. Companies must enhance their approach to identifying, assessing, and managing security risks that could impact investors. Influential changes for future corporate practices may include:

• Rigorous Procedures: Developing and implementing stringent processes for identifying, managing, and reporting cybersecurity risks and incidents.
• Third-Party Risk Management: Assessing the risks associated with working with or using third-party resources, particularly those that have direct relationships with investors or clients.
• Proactive Threat Perception: Shift perspectives to view cyber threats as expected occurrences, integrating this approach into business planning, supply chain readiness, and continuity strategies.
• Balanced Incident Reporting: Finding the right balance in recognizing and disclosing security incidents of importance to investors. This involves providing enough information to avoid legal issues while not increasing the company’s risk profile.
• Comprehensive Cyber Strategy Implementation: Develop and maintain cyber strategies that consist of regular risk assessments, detailed response plans, and well-structured recovery procedures.
• Global Reach of SEC Rules: The SEC's regulations are not exclusive to U.S. companies; they also apply to foreign private issuers. This means companies based outside the U.S. that are listed on U.S. stock exchanges are subject to the same SEC reporting requirements and must comply with these disclosure rules.

Turning to Compass IT Compliance can be a game-changer for companies aiming to bolster their cyber defenses. Our firm brings a wealth of expertise, offering tailored assessments and strategic advice to shore up cybersecurity frameworks. Our skilled team excels in pinpointing weak spots and crafting effective defenses, helping businesses stay ahead of potential cyber threats. Engaging with Compass IT Compliance not only helps in meeting compliance standards but also in building a more resilient digital infrastructure. This proactive and knowledgeable partnership is essential for any organization seeking to navigate the intricate landscape of cyber risks with confidence. Contact us today to learn more!