The U.S. Securities and Exchange Commission (SEC) is poised to implement new cybersecurity rules that will profoundly impact the landscape of cyber-risk management and disclosure practices. Set to take effect on December 15, 2023, these regulations, while primarily targeting publicly listed companies, hold significant implications for private and smaller firms as well.
The New Cybersecurity Framework
Adopted in July, the SEC’s rules require listed companies to adhere to stringent incident reporting and governance disclosure requirements. These rules mandate the disclosure of material cybersecurity incidents within four business days after a company determines the occurrence of a material cyber-incident, for example a major ransomware attack like when Colonial Pipeline was attacked by the Darkside Ransomware Gang, either through Form 8-K filings for domestic issuers or Form 6-K filings for private foreign issuers.
Critics, however, argue that the four-day window for reporting is insufficient for accurately assessing and communicating the impact of a breach. The ambiguity surrounding the definition of ‘material incidents’ further complicates compliance.
Expanded Disclosures and Governance
The new regulations also extend to the realm of risk management and governance, requiring detailed disclosures in annual Form 10-K and Form 20-F filings. These disclosures must encompass the board’s proficiency and oversight of cybersecurity risks, presenting a unique challenge for boards that may lack hands-on involvement in the company’s day-to-day cybersecurity activities.
Beyond Publicly Listed Companies
While the rules are primarily designed for publicly listed companies, their reach extends further. The interconnected nature of modern business, particularly through third-party software and supply chain dependencies, means that a cyberattack on any part of this network can have material repercussions. Consequently, non-public entities, including smaller third-party companies, should acquaint themselves with these regulations.
Under Chair Gary Gensler, the SEC has adopted a robust enforcement approach that transcends the traditional boundaries of public companies and registrants. This expanded focus is evident in cases like the lawsuit against the private law firm Covington & Burling and the charges against the Nebraska-based private company Monolith Resources for alleged violations of whistleblower protection rules.
Preparing for Compliance
In this evolving regulatory landscape, it’s imperative for all companies to adopt a proactive stance toward cybersecurity. Compliance is not merely a matter of ticking boxes on a checklist but involves the development of a comprehensive cyber-risk management program.
Key Steps for Companies:
- Board Involvement: Boards of directors must incorporate robust cyber-risk management structures, engaging senior stakeholders in the process.
- Ongoing Training and Testing: Continuous training and testing are essential elements of a resilient cybersecurity framework.
- Investment in Cyber-Resilience: Companies must allocate resources towards developing robust cyber-threat response capabilities.
- Anticipating Threats: Cyber threats should be considered an inevitable aspect of business operations, necessitating thorough business, supply chain, and continuity planning.
- Extending Policies to Third Parties: Cybersecurity policies and procedures should encompass all third-party vendors.
- Regular Risk Assessments: Conducting regular risk assessments is crucial for identifying potential vulnerabilities.
- Developing Response and Recovery Plans: Companies should have well-defined response and recovery plans in place.
- Testing Policies and Procedures: Regular testing of cybersecurity policies and procedures ensures their adequacy and effectiveness.
- Continuous Updates: Cybersecurity strategies must be regularly updated to keep pace with evolving threats and regulatory requirements.
- Documenting Compliance Efforts: Maintaining detailed records of compliance efforts can be crucial in demonstrating adherence to regulatory mandates.
- Collaboration with Legal and Compliance Teams: Collaborating with legal and compliance teams can provide valuable insights into regulatory expectations and best practices.
- Public Disclosure Readiness: Companies must prepare for the possibility of public disclosure in the event of a material cyber incident.
In summary, as the SEC’s new cybersecurity rules usher in a more stringent era of cyber governance and reporting, it’s vital for all companies, irrespective of their public or private status, to familiarize themselves with the regulations and integrate robust cybersecurity practices into their operational fabric. The evolving nature of cyber threats and regulatory landscapes calls for a dynamic and holistic approach to cyber-risk management.