Update 7/26/2023: The Securities and Exchange Commission [SEC] now formally requires public companies to disclose incidents within four days of all cybersecurity breaches.
Cybersecurity risk management, strategy, governance, and incident disclosure are a growing concern for investors and a top priority for the U.S. Securities and Exchange Commission (SEC). In 2022, publicly-traded companies were put on notice to prepare to adopt a new set of SEC Cybersecurity rules. These new rules place an unprecedented level of accountability, governance, and more comprehensive material disclosures across all industries to strengthen and standardize cybersecurity incident reporting for public companies. Notable regulations organizations must take into account include:
- Cybersecurity Risk Management and Strategy
- Updating Current and Previously Reported Material Cybersecurity Incidents
- Board of Directors Governance and Cyber Risk Oversight
- Board of Directors’ Cybersecurity Expertise (if applicable)
- Management’s Role pertaining to Cybersecurity Policy and Procedures Implementation
- Identification of Material Cybersecurity Incidents and Updates to previously Incidents
Ultimately, the overarching intent of the amendments is to ensure greater transparency through the prompt and enhanced disclosure of material cybersecurity incidents, to apprise investors, to promote board accountability and to ensure uniformity and comparability. Once the rules are adopted, the SEC will likely provide further guidance regarding requirements for net new disclosures for next year’s 10K and any grace period for compliance.
Regardless of future SEC commentary, it’s important to act quickly on 3 critical components of data protection strategy, not only to comply with SEC rules and regulations, but also for sustained cybersecurity resiliency:
- Automate and Streamline cybersecurity incident response (IR) processes, centralize security alerts and notifications with a case management tool, and improve technology integrations. In doing so, organizations will position themselves for immediate and efficient investigations to accurately address current cybersecurity incidents as well as update previously reported ones.
- Cross-functional Collaboration: internal communication and reporting mechanisms across all business units, and effective collaboration at all levels across the organization–particularly at the management and board level–are critical for overall risk reduction. For example, working in unison, security (or IT) and legal departments can identify, detect and stop cybersecurity risk when it happened by having a plan in place to address different types of cybersecurity risk. Regular communication and established responsibilities among organizational stakeholders fosters a fast, comprehensive response to and mitigation of potential risk.
- Security Education and Awareness: Invest in promoting and enforcing effective and relevant security education and awareness training. While SEC regulations add additional pressures and consequences for an inadequate security posture, working towards a culture where all members of your organization are not only mindful of, but invested in, cybersecurity best practices is really the most impactful organization-wide change we promote. Security guidelines may come from the SEC or other regulatory bodies, but it begins with building a culture that is invested in the way cybersecurity hygiene protects their own work. An educated and risk-aware workforce can significantly mitigate cybersecurity risks–and that workforce can even be your best security asset when it comes to those events and times that inevitably introduce more risk, like onboarding, product development and employee offboarding.
To learn more about what you can do to prepare for the new SEC cybersecurity rules, check out our full, step-by-step guide. You will get clearer interpretations of what qualifies as a material event, guidance on what to report, and steps to support compliance.