As the SEC readies its new rules on cybersecurity and disclosure of breaches, both public and private companies need to make sure they are complying with pertinent parts of the regulations
New cybersecurity rules from the U.S. Securities and Exchange Commission (SEC) are set to take effect on Dec. 15, 2023; and although the rules primarily target publicly listed companies, other private and smaller companies should familiarize themselves with the new rules, while preparing and monitoring their operations for their own security.
The SEC’s cybersecurity rules, adopted this past July, require publicly listed companies to comply with numerous incident reporting and governance disclosure requirements. Organizations should assume that they will experience real threats and potential breaches, the rules state.
Complying with the various and often overlapping regulations is a challenge; however, the ultimate objective should be building and employing an effective cyber-risk management program that goes beyond completing compliance checklists. Firms and companies must ensure that best practices are in place across the enterprise to prevent cyberattacks and ensure that a proper response plan is in place that effectively stops or quickly remediates real threats when attacked.
Overview of the new rules
The new rules introduce mandatory cyber-incident reporting requirements for all U.S.-listed companies. Domestic issuers must disclose material cybersecurity incidents in Form 8-K filings, and private foreign issuers must submit Form 6-K filings to disclose material cyber-incidents.
The new rules state that issuers must disclose cybersecurity incidents that are determined to be material by the company. This requirement is similar to the materiality standard for other 8-K disclosures under U.S. securities laws. Issuers must disclose the material impact of the incident on the company’s financial condition and its operations. Disclosures must be filed within four business days after a company determines that it has experienced a material cyber-incident.
However, critics argue that four days is not enough time to confirm a breach, understand its impact, and coordinate notifications. Further, there has been significant uncertainty around the definition of material incidents.
Also, U.S.-listed companies will be required to disclose risk management and governance information in relation to cybersecurity, including board proficiency and oversight of cybersecurity risks, in their annual Form 10-K and Form 20-F filings. These disclosure requirements will apply to fiscal years ending on or after Dec. 15, 2023.
While it’s not explicitly mandated, firms are expected to provide details on board proficiency in cybersecurity. This presents a challenge for many boards of directors as boards may have individuals with high-level expertise in the field, often those directors may not be intimately involved in the day-to-day activities of the organization.
Not just for public companies
Although the SEC cybersecurity rules are aimed at publicly listed companies, most public companies are reliant on many smaller third-party software and supply chain companies, and a cyberattack at any point along that chain could have a material impact. Therefore, such third-party companies — whether public or not — should also familiarize themselves with the new regulations.
Under Chair Gary Gensler’s leadership, the SEC has taken a determined enforcement approach beyond public companies and registrants such as investment advisers. For example, in a recent case and lawsuit involving the private law firm Covington & Burling, the SEC demanded the names of clients caught up in a 2020 cyberattack on the firm.
Another recent example displayed the SEC’s willingness to charge private companies concerned a Nebraska-based clean energy company, Monolith Resources. The SEC charged Monolith, a private company, with violating Rule 21F-17 (whistleblower protection rules) as it had allegedly included language in separation agreements saying employees could report wrongdoing to agencies but were not allowed to “recover money damages or other individual legal or equitable relief awarded by any such governmental agency.”
The SEC’s willingness to stretch regulatory perimeters to private companies such as Covington and Monolith and well beyond registrants or publicly listed companies should be a warning to all companies, especially when something as critical as cybersecurity is involved. Therefore, although the current round of cybersecurity regulations from the SEC directly impacts public companies, all other organizations should familiarize themselves with the regulations.
When it comes to cybersecurity, the complexity and severity of the risk must be considered from a business risk, technology, reputational, and regulatory compliance perspective. There is no one-size-fits-all approach.
However, there are some high-level steps all companies should consider:
- Boards of directors should incorporate a structure that includes senior stakeholders in cyber-risk management.
- It should be understood that training and testing are critical components of every cybersecurity framework.
- Enterprises must invest in cyber-resilience and cyber-threat response preparedness.
- There must be a shift in mindset whereby threats should no longer be considered a surprise but rather expected or inevitable. Therefore, business planning, supply chain preparedness, and continuity planning are essential.
- Cyber policies, procedures, and practices should be extended to all third-party vendors.
- Cyber strategies, policies, and procedures must include regular risk assessments, a response plan, and recovery plans.
Companies must also test the adequacy and effectiveness of cybersecurity policies and procedures and update them continuously to ensure compliance with all applicable regulations and laws.