SEC (Securities and Exchange Commission) issued a regulation recently that imposes a greater level of transparency regarding cybersecurity risk management, governance, and incident reporting and response. There will be compliance requirements for public companies listed on U.S. stock exchanges starting mid-December 2023 (or early spring 2024 for small companies that meet the qualification criteria) regarding cyber risk management and incident disclosures under the rule.
There will be an advantage to companies that proactively identify and fix vulnerabilities as a result of the new rule requiring companies to disclose features of their security programs to the public.
By providing investors with information about public companies' cybersecurity risk management, the SEC aims to help them make informed investment decisions for their hard-earned money.
A company's maturity in security can be used by investors as a market divider when it comes to its security as security becomes increasingly important to corporate governance.
The regulatory authorities have taken a significant step towards improving cybersecurity disclosures for public companies by adopting new rules designed to give investors comprehensive and standardized information about how cybersecurity risks should be managed, strategies implemented, governance processes adopted, and incidents reported.
The new rules were adopted in July 2023 following an extensive rule-making and public comment process that began back in January 2024. The rules represent an official recognition that cybersecurity threats are constantly present and impact investor decisions in several ways.
It should be noted that the rules published by the US Securities and Exchange Commission apply only to American companies that are registrants of the SEC. The attack on the assets of US-registered companies is not restricted to assets located in the US - so incidental attacks that affect assets in other countries of SEC-registered companies are also included in the scope of this attack.
The scope of this report excludes not only the government, but also non-SEC regulated companies (i.e. private companies who are not subject to SEC reporting requirements), and other types of organizations also.
Various breach notification requirements will be implemented both within these categories as well as for others, to potentially harmonize and/or unified in some way with the SEC reporting requirements at some point in the future.
To comply with the new rules, registrants will have to report any cybersecurity incident they determine to be material on Item 1.05 of Form 8-K and describe how the incident has materially affected the registrant and its material impact. They will also have to describe how the incident has materially affected the registrant, or whether it is reasonably likely to have materially affected the registrant.
When a registrant determines a cybersecurity incident as material, he or she will generally be required to file an Item 1.05 Form 8-K within four business days of determining that it is material. If the United States Attorney General determines that immediate disclosure poses a substantial risk to national security or public safety, and informs the Commission in writing, the disclosure may be delayed.
In addition, Regulation S-K Item 106 has been added to the new rules, which requires that registrants explain their processes, if any, for assessing, identifying, and managing material risks resulting from cybersecurity threats, along with the material effects or reasonably likely material effects of risks resulting from cybersecurity threats and previous incidents affecting the company.
A registrant's annual report on Form 10-K will also have to describe the board of directors' oversight of cybersecurity threats, as well as the management's role and expertise in assessing and managing material risks from cybersecurity threats. An annual report on Form 10-K will contain these disclosures, which will be required for all companies.
Foreign private issuers are required to provide comparable disclosures for material cybersecurity incidents on Form 6-K and cyber risk management, strategy, and governance on Form 20-F by the regulations.
It is always mandatory for the SEC to report material cybersecurity events that have occurred as part of general reporting requirements, however, it is only in the last few years that the timelines and nature of the reporting have become more so, and there is a ticking four-day clock on the reporting requirements.
Taking a step back from all the rules, it is clear that the importance of visibility and continuous monitoring can’t be underestimated. Time to detection cannot be at the speed of your least experienced analyst. Platforms allow unified visibility instead of a wall of consoles.
A robust array of telemetry must be available within the internal visibility system for breaches to be detected and stopped, as well as continuously monitored.
It is clear from these new SEC rules that the risk of cyberattacks is a business risk for a great number of companies with operations outside of the US, and that means that visibility needs to extend beyond the US to other geographies as well.
There are many ways in which companies can make proactive efforts to identify and mitigate security vulnerabilities, as well as bug bounties, that should encourage them to invest in proactive measures to ensure that vulnerabilities are identified and remedied as early as possible.
It is documented that bug bounty can be a very effective means of preventing cyber incidents and demonstrating security maturity to investors when combined with comprehensive security safeguards. Companies that have placed a high priority on protecting their digital assets and sensitive data will stand out more and more as investors become more aware of cyber risks.