The U.S. Securities and Exchange Commission (SEC) has taken a step towards increasing transparency and investor protection by announcing new rules that requires public companies to disclose cybersecurity incidents within 4 days. The regulations aim to address the rising threat landscape, including the increase in cyberattacks and data breaches resulting from the digitalization of operations. This security advisory explores the background of the new rules, what they entail, and how organizations can prepare for compliance while bolstering their cybersecurity defenses through preventative measures.
The new SEC cybersecurity incident disclosure rules come at a critical time when the impact of cyberattacks is becoming increasingly evident. One of the notable cases that underscored the severity of such incidents is the MOVEit breaches. The breaches, perpetrated by Russian cybercriminals, targeted a widely used file transfer program, impacting hundreds of organizations, including major government agencies, universities, and prominent corporations.
Background of the New SEC Cyber Disclosure Rules:
In March 2022, the SEC proposed new rules to standardize and enhance disclosures regarding cybersecurity risk management, strategy, governance, and material cybersecurity incidents for publicly traded companies. Cybersecurity threats have become an escalating risk for businesses, investors, and market participants due to the rapid evolution of technology and the monetization of cyber incidents by criminals. The new rules aim to provide consistent, comparable, and decision-useful disclosures to enable investors to assess the potential impact of cybersecurity risks on companies.
Requirements of the New Rules:
The newly adopted rules introduce a brand-new Form 8-K Item 1.05, obliging companies to disclose any cybersecurity incident deemed “material” for shareholders. The disclosure must include a description of the nature, scope, and timing of the incident. It should also include its material impact, or reasonably likely material impact, on the company’s financial condition and results of operations. To clarify, the clock for the four-day disclosure window only starts ticking after the company determines the materiality of the incident.
Additionally, companies will be required to comply with a new Regulation S-K Item 106, which necessitates the description of their processes for assessing, identifying, and managing material risks from cybersecurity threats. The rule also mandates the disclosure of the board of directors’ oversight of cybersecurity risks and management’s role and expertise in handling such threats.
Timelines and Important Dates:
After adopting the release of the final rules in the Federal Register, they will take effect after 30 days. Starting from December 15, 2023, all registrants must include the specified disclosures in their annual reports for fiscal years ending on or after this date. Regarding the incident disclosure requirements in Form 8-K Item 1.05 and Form 6-K, all registrants, except smaller reporting companies, must comply within 90 days after the Federal Register publication date or by December 18, 2023, whichever is later. However, smaller reporting companies have an additional 180 days, and their compliance must begin 270 days from the effective date of the rules or June 15, 2024. For structured data requirements, all registrants should tag the necessary disclosures under the final rules in Inline XBRL starting one year after they have initially complied with the related disclosure requirement.
Preparation for Compliance and Preventative Measures:
Preparing for compliance with the new SEC rules will be a challenge for organizations, but there are essential steps that can be taken to prepare for the new requirements and reduce the risk of a breach:
- Establish a Methodology for Determining Materiality: Organizations need to develop a robust methodology for assessing and determining the materiality of cybersecurity incidents. This methodology should consider the potential impact on the company’s operations, financial condition, and investor decisions.
- Implement a process and template for creating 8-Ks: Include templates for various types of breaches and attacks to ensure your organization meets the deadline to report them.
- Employ Managed SIEM for Logging and Alerting: A Managed Security Information and Event Management (SIEM) solution can help organizations monitor and analyze security events, enabling faster detection and response to potential threats.
- Implement Multi-Factor Authentication (MFA) and Strong Password Policies: Enforcing MFA and strong password policies adds an extra layer of security to protect against unauthorized access to sensitive data and systems.
- Implement Incident Response Plans: Having a well-documented and tested incident response plan is crucial to responding promptly and effectively to cyber incidents. This plan should outline the necessary steps to investigate, contain, and mitigate the effects of a breach.
- Conduct Annual Internal and External Penetration Testing: Regular penetration testing helps identify vulnerabilities in the company’s systems and applications, allowing for proactive remediation before attackers can exploit them.
- Conduct Ongoing Vulnerability Scanning: Continuous vulnerability scanning is essential to detect and address potential weaknesses in real-time, reducing the risk of successful attacks.
The SEC’s new cybersecurity incident disclosure rules represent a critical step in promoting transparency and accountability among publicly traded companies. By complying with these rules, organizations can better inform investors about the material impact of cybersecurity risks and incidents, thereby enhancing investor confidence. To prepare for compliance and mitigate cyber risks, companies should focus on establishing methodologies for determining materiality, implementing robust incident response plans, and conducting regular penetration testing and vulnerability scanning. Employing managed SIEM services can further bolster their cyber defenses and ensure timely detection of potential threats. Ultimately, the combination of compliance and preventative measures will help fortify businesses against the ever-evolving cyber threat landscape.