On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) expanded its cybersecurity and cyberattack reporting requirements for publicly traded companies. The rules take effect September 5, 2023, with compliance dates staggered between 2023 and 2024, and are dependent upon company size. Publicly traded companies are required to have a cybersecurity strategy in place and disclose their ability to identify, assess, contain, and manage cybersecurity risk. In addition, if victimized by a cyberattack of “material” importance, the new rules mandate that the company must report the attack to the SEC within four (4) business days.
The SEC adopted these new rules to protect investors and improve chronic cyberattack underreporting.
Transparency and Cyber Responsibility
While the SEC rules will not impact the frequency, sophistication, or targeting of cyberattacks, the rules are intended to standardize incident disclosure, improve transparency for investors, and ensure that organizations are prepared for cybersecurity incidents. Investors should expect each publicly traded company to comply with the rules, but they still assume a fiscal leap of faith in any enterprise – regardless of how many operational and security details they know about the company.
The new rules are expected to increase transparency about how companies manage risk and to ensure they have incident response and mitigation procedures outlined as part of their defense strategy. Both investors and organizations should benefit from a renewed focus on prioritizing and expanding cybersecurity and risk management.
Cybersecurity Risk Management and Disclosure
The SEC’s 186-page document, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, does not make for light reading, but public companies are required to comply with the new cyber risk management and disclosure rules.
As a quick (albeit incomplete) summary of the new cybersecurity rules:
- Form 8-K, Item 1.05: Any cyberattack or security incident of "material" consequence to the company and investors must be disclosed on this form within four (4) business days of determining an attack is of material importance. The details of the incident's scope, impact, nature, and timing must also be disclosed.
- Regulation S-K, Item 106:
- Publicly traded companies (and foreign private issuers) must disclose the Board of Directors and management's roles, expertise, and responsibilities in cyber risk assessment, identification, and management as part of their annual Form 10-K report.
- Publicly traded companies are required (annually) to disclose their cybersecurity risk strategies, governance, risk management capabilities, and probability of investor impact. The SEC does not require disclosure of detailed technical solutions in place, tools, vulnerabilities, security gaps, or anything that could expose system and process details to the public.
The most onerous requirement of the new rules may be the 4-day timeframe to report "material" cybersecurity incidents to the SEC. Four days is a very short window in which to comply. This is particularly true in the aftermath of a breach when the entire organization will be focused on incident response, containment, and remediation. After an incident, it takes time and resources (both in-house and via third-party support services) to secure the infrastructure, systems, and environment against further damage. And now companies must spend time determining if the incident was of "material" impact and if they must report the incident.
The Impact of the Revised SEC Rules
You can imagine that even the discussion around determining if a breach is of “material” consequence could take longer than four days. And that does not include the burden of filing the required SEC forms. In addition, there has been some pushback from CEOs and CISOs due to the short timeline, the sensitivity of a disclosing breach before complete remediation, and the difficulty of discovering exactly what the hackers had access to in their systems for the reports.
Many organizations already work with CISA, DHS, and the FBI when they fall victim to a cyberattack and may feel that “help” from another agency is unwarranted. There is even some dissension among SEC commissioners discussing duplicative reporting requirements across multiple agencies, the SEC’s overreach of disclosure authority, and onerous reporting requirements. Regardless of your feelings about the new rules, they are now a business requirement.
Executives at publicly traded companies are undoubtedly responsible for promoting investor confidence, cybersecurity risk management, and data and IT security – but now must take the time, money, and resources away from managing a cybersecurity crisis to fulfill the new Item 1.05 requirements.
Become SEC Ready with TBC
Do you have a tight grip on your infrastructure, systems, data, and network? Are your cybersecurity and incident management strategies and policies ironclad? Can you get the systems and data information you need to comply with the new 4-day post-attack disclosure rule?
If you don’t have your entire business aligned with your cybersecurity risk management strategy, TBC can help your organization comply with the new SEC rules. TBC is an IT Solutions Provider with over 27 years of experience in cybersecurity, data backup and recovery, infrastructure management, and governance. Our new product offering – Extended Threat Detection and Response (xTDR) – acts as a whole-IT environment watchdog to protect your environment, monitor all traffic, and aggressively hunt for threats.
With TBC’s fully managed cybersecurity services and with the support of our security and infrastructure teams, we can help you with compliance, risk management strategy, and security maturity road mapping, and can get you the data you need to complete the new SEC reports.