This guide will help cybersecurity leaders understand the SEC regulation and get started on a journey to satisfying the requirements, meeting investor expectations, and creating a cybersecurity program that will stand the test of time.
The increasing sophistication and frequency of cyber threats have exposed companies to significant risks, including data breaches, financial losses, and reputational damage. Investors have become deeply concerned that these risks can negatively impact their investment decisions. As we have previously discussed, companies and their shareholders must tackle the significant and constantly changing challenge of understanding cybersecurity risk.
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) voted to adopt new cybersecurity requirements for publicly traded companies, creating new obligations for reporting “material” cybersecurity incidents and requiring more detailed disclosure of cybersecurity risk management, expertise, and governance. The new rules aim to enhance corporate governance and bolster protections for both boards and shareholders. Companies will be required to disclose risks in their annual reports beginning on December 15, 2023.
In Part 1 of this multi-part series, we will describe the new SEC regulations and assess potential impact on both shareholders and companies. In future articles, we will explore best practices and tools for shareholders and companies to navigate these new rules and the ever-evolving cyber threat landscape.
Understanding the New SEC Cyber Rules
There are two primary components of the new SEC cybersecurity regulations: disclosure of (1) cyber risk strategy and governance; and (2) disclosure of material cybersecurity incidents.
1. Cyber Risk Strategy and Governance
Beginning on December 15, 2023, public companies will be required to disclose information pertaining to their cyber risk strategy and governance on an annual filing (10k). This includes describing processes for assessing/identifying/managing risks, management's role and relevant expertise in cyber risk management, and board oversight of risk (including identifying board committees responsible for oversight). This includes providing insights into the potential impact of these risks on the business, its financial condition, and operations.
The focus on director oversight is notable. Boards are expected to be well-informed about the company’s risk management strategies and its preparedness to address cyber threats effectively. This move empowers boards to be more actively involved in cybersecurity decision-making, ensuring a more comprehensive approach to risk management.
2. Material Incidents
Material cybersecurity incidents must be disclosed on a corporate filing (8k) within 4 business days after the company determines a material incident has occurred. There is an exception that allows a delay if the Attorney General believes there is an impact on national security. Smaller reporting companies will not be subject to this requirement for an additional 6 months.
Potential Impact to Companies and Shareholders
The new SEC cyber rules have several implications for both boards and shareholders, each contributing to improved corporate governance and long-term shareholder value.
1. Heightened Accountability
With the introduction of clearer disclosure guidelines, boards are now more accountable for their company’s cybersecurity practices. This increased transparency fosters a culture of responsibility within organizations, ensuring that cybersecurity risks are appropriately overseen by management and directors.
2. Increased Investor Confidence
Shareholders play a pivotal role in evaluating the performance of a company. By making cybersecurity disclosures mandatory, the SEC’s rules seek to provide shareholders with essential information that enables them to make well-informed investment decisions. This heightened transparency can strengthen investor confidence in a company’s ability to manage cyber threats effectively.
3. Improved Risk Management
By necessitating robust risk management practices, the SEC’s rules encourage companies to adopt proactive approaches to cybersecurity. This shift from reactive to proactive cybersecurity measures may reduce the likelihood of successful cyberattacks and minimize the potential damage caused by breaches.
As technology continues to evolve, the threat landscape for businesses will inevitably evolve with it. The SEC’s new cyber rules demonstrate the regulator’s recognition of the critical role cybersecurity plays in corporate governance. Increased regulatory requirements will necessitate a strong relationship between cybersecurity leaders and the C-suite and Board. By enhancing transparency, accountability, and risk management practices, these rules aim to safeguard companies, their stakeholders, and the broader economy from the ever-growing cyber threat landscape. For boards and shareholders, adherence to these rules ensures a safer and more secure business environment, bolstering trust and confidence in corporate entities for years to come.