New SEC Cybersecurity Requirements

December 6, 2023 by
Mark Nash

You've heard this one before. Cybersecurity is paramount for businesses across the globe. As technology advances, so do the threats. The reason those statements matter today is that the U.S. Securities and Exchange Commission (SEC) has introduced new rules to advance cybersecurity. These rules are a response to the growing sophistication of cyber threats and the need for companies to safeguard their sensitive information. Let's delve into the key aspects of these new SEC regulations and discuss how they may affect your business.

Understanding the New SEC Cybersecurity Requirements

The SEC's new cybersecurity rules emphasize the importance of proactive cybersecurity measures with two primary focuses. One of the central requirements is the timely reporting of cybersecurity incidents. The other is the disclosure of comprehensive cybersecurity programs. The rules impact U.S.-registered publicly traded companies and foreign private issuers registered with the SEC.

Reporting of Cybersecurity Incidents

The first rule is the disclosure of cybersecurity incidents deemed "material" on a new item 1.05 of Form 8-K. Companies have a time limit of four days of the determination that an incident is material to file their disclosure. The company should disclose the nature, scope, timing of the impact, and the material impact of the breach. One exception to the rule is where disclosure poses a national safety or security risk.

Disclosure of Cybersecurity Protocols

This rule requires that companies must report details of their cybersecurity protocols on their annual Form 10-K filing. The extra information companies must disclose includes:

  • Their processes for assessing, identifying, and managing material risks from cybersecurity threats.
  • Risks from cyber threats that have or are likely to materially affect the company.
  • The Board of Directors' oversight of cybersecurity risks.
  • Management's role and expertise in assessing and managing cybersecurity threats.

Potential Impact on Your Business

If your business is subject to these new SEC cybersecurity requirements, it may be time for a cybersecurity assessment. Penetration tests and cybersecurity assessments identify gaps in your security infrastructure and help reduce the risk of cyber incidents and compliance failures. Here are some of the potential areas of impact on businesses from these new SEC rules.

Increased Compliance Burden

More requirements to meet means businesses will now face an increased compliance burden. It's possible that efforts to meet these requirements might cause a significant overhaul of existing practices, policies, and technologies. Ensuring compliance might require a company to invest a large amount of time and resources.

Focus on Incident Response

The new regulations underscore the importance of incident response plans. These are protocols to detect, respond to, and recover from cybersecurity incidents promptly. These protocols include having clear procedures for notifying regulatory authorities, customers, and stakeholders in the event of a data breach.

Heightened Emphasis on Vendor Management

Companies often rely on third-party vendors for various services. The SEC's new rules emphasize the need for businesses to assess vendor practices, which means how vendors handle cybersecurity. This shift in focus necessitates a comprehensive review of existing vendor relationships and may even mean finding more secure alternatives.

Impact on Investor Confidence

Cybersecurity breaches can erode investor confidence and damage a company's reputation. With the SEC's spotlight on cybersecurity, investors are likely to scrutinize businesses' security measures more closely. Companies with robust cybersecurity programs may instill greater confidence among investors.

The SEC Rules Bring Challenges but also Possibilities

The new SEC cybersecurity requirements mark a significant milestone in the ongoing battle against cyber threats. While these regulations pose challenges, they also present opportunities for businesses to strengthen their cybersecurity posture, enhance customer trust, and foster investor confidence. By embracing these changes proactively, companies can meet regulatory expectations and fortify their defenses against the ever-evolving landscape of cyber threats. Adapting to these regulations will be crucial in ensuring long-term success as well as the resilience of your business.