Navigating the New SEC Cybersecurity Rules: What Companies Need to Know

Rules: What Companies Need to Know

The U.S. Securities and Exchange Commission (SEC) has introduced new cybersecurity and breach disclosure rules set to take effect on December 15, 2023. The new rules primarily affect publicly listed companies, but private and smaller firms will likely still feel the impact. With only a few days until the rules take effect, companies must move quickly and thoroughly to understand and prepare for the changes. 

The rules mandate stringent incident reporting and governance disclosure requirements for publicly listed companies. The most significant change to previous policies is the short window of four business days that firms have to formally disclose a material cyber incident. Throughout the SEC’s mandate, they underscore the importance of preparedness, emphasizing not just the potential but rather the expectation that organizations will face genuine threats and potential breaches. 

For companies to remain in compliance with these multifaceted rules, they must establish and implement a comprehensive cyber-risk management program beyond just creating a series of checklists. While public companies will feel the most direct impact, most of these enterprises employ a vast supply chain of privately owned, third-party software vendors. Notably, under the SEC regulations, any cyber incident that occurs  at such a vendor will fall under the required disclosure umbrella if it had material impact. These smaller firms have likely not taken significant steps to prepare for that possible ripple effect since they were not explicitly named as included when the SEC first announced these changes in July. However, with the changes coming into effect now, publicly traded companies need to both arm themselves and their supply chains with the proper programs to ensure compliance, and private companies need to move quickly to ensure they remain a competitive vendor to the businesses they support. 

Understanding is key to proper preparation. The rules contain three fundamental elements that are key for businesses and executives to understand in remaining compliant and effectively protecting their organization from both SEC fines and cyberattacks:

• Disclosure of Material Cybersecurity Incidents: Publicly listed companies experiencing a cybersecurity incident deemed material must disclose it within four business days of confirming its significance.
• Annual Reporting on Cybersecurity Risk Management: Companies are obligated to annually report new cybersecurity disclosures. This includes outlining processes for identifying and managing material risks from cybersecurity threats, detailing any significant effects of these risks or previous incidents, and more.
• Comparable Disclosures for Foreign Private Issuers: Foreign private issuers are required to provide disclosures to the SEC that align with the regulatory expectations.

What companies can do:

Here are key actions to consider:

• Assemble a Cross-Functional Team: Gather leaders from various business functions to deliberate on the implications of these rules. Engage representatives from IT, legal, finance, HR, government relations and communications to ensure a coordinated response. Evaluate existing plans and protocols for necessary updates.
• Revamp Incident Response Plans: Refresh cybersecurity incident response plans and conduct simulations to ensure readiness. Update protocols and familiarize leaders with their roles. Tabletop exercises can help simulate real incidents and prepare employees for effective responses.
• Prepare for Annual Reporting: Anticipate the inclusion of cybersecurity risk management information in the company’s annual report. Review existing data, identify gaps, and strategize on communicating the cybersecurity risk management, strategy, and governance within the broader annual reporting process.

Threats are no longer a mere possibility — they should be expected and seen as inevitable. As companies brace themselves for the new SEC disclosure rules, prioritizing cybersecurity preparedness is not just a regulatory necessity but a strategic imperative to safeguard against evolving cyber threats.