In the face of escalating cyber threats, the Securities and Exchange Commission (SEC) has finalized and released a new rule to fortify the defenses of public companies against potential cyber-attacks. The “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule” aims to protect investors and customers by mandating robust cybersecurity practices.
At a high level, the new rule requires the following of public companies:
- Reporting of any material breach within four (4) days of discovery.
- Describing risk management processes (including assessments and treatments).
- Describing the Board of Directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
- Compliance and preparation for disclosure when the requirements take effect in mid-December of this year.
Which Companies Must Comply with the New SEC Rule?
The SEC’s new rule applies to all public companies, regardless of their size or industry. This means that any company that lists its securities on national securities exchanges or engages in significant trading activities within the U.S. market falls under the purview of the rule.
To ensure compliance, affected companies need to act promptly, as the rule will go into effect 30 days following publication of the adopting release in the Federal Register. Therefore, public companies must begin preparations to meet the requirements set forth by the SEC and align their cybersecurity practices with the new mandate to strengthen their digital defenses and protect the interests of their investors and customers.
If your company is a public company, understanding and preparing for compliance with this rule is essential. Let’s delve into seven crucial things companies need to know to comply effectively with the SEC’s groundbreaking mandate.
1. The SEC’s Call to Action
The rise in cybercrime has compelled the SEC to take a proactive stance in safeguarding public companies and their stakeholders. The new rule outlines comprehensive cybersecurity risk management, strategy, governance, and incident disclosure requirements, aiming to foster a resilient digital landscape.
2. Taking the First Steps
To prepare for compliance, public companies must start with a thorough assessment of their existing cybersecurity measures. Identifying vulnerabilities, potential threats, and shortcomings will lay the foundation for a more robust strategy.
3. Embracing a Risk-Management Mindset
Complying with the rule entails adopting a proactive approach to risk management. Public companies must continuously evaluate and adjust their cybersecurity strategies to address evolving threats effectively.
4. Developing a Comprehensive Strategy
Creating a well-defined cybersecurity strategy is critical to meeting the rule’s requirements. Companies should focus on proactive measures, incident response protocols, and resource allocation for maximum effectiveness.
5. Reinforcing Governance Structures
The rule emphasizes the board of directors’ pivotal role in overseeing cybersecurity risk management. Public companies must strengthen governance structures to ensure that cybersecurity remains a key priority at the executive level.
6. Timely Incident Disclosure
Incident disclosure is a vital aspect of the rule. Public companies must promptly report any cybersecurity incidents that may have a material impact on their operations or financial condition. Transparency in incident reporting bolsters investor and customer confidence.
7. Collaborative Efforts
Compliance with the SEC’s rule necessitates the cooperation of multiple departments. Companies should foster cross-functional collaboration between IT, legal, finance, and management to ensure a holistic and effective cybersecurity approach.
8. Staying Updated with Best Practices
The cybersecurity landscape is ever-evolving, and the SEC’s rule mandates companies to stay current with the latest best practices and industry standards. Implementing cutting-edge cybersecurity technologies and practices will help companies adapt to emerging threats.
Disclosure and Reporting Requirements
As noted in a press release from the SEC on July 26, 2023, the rule includes a variety of disclosure and reporting requirements. “The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.”
The SEC’s “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule” marks a pivotal turning point in cybersecurity governance for public companies. By fostering a culture of proactive risk management, bolstering governance structures, and prioritizing timely incident disclosure, companies can build a robust defense against cyber threats.
Next Steps: Complying with the New SEC Rule
Compliance with the rule is not merely a regulatory obligation; it is a proactive step towards safeguarding an organization’s reputation, investors’ trust, and customers’ data. Public companies should embrace this transformative mandate with a dedication to protecting their digital landscape.
As the cyber landscape evolves, so must our security practices. Together, we can build a resilient and secure future for public companies and stakeholders alike.
EXTEND Resources helps organizations comply with information security and data privacy requirements. Organizations look to our experts to develop effective strategies and comprehensive governance, risk management, and compliance programs that enhance security maturity.
Public companies can depend on EXTEND to help them manage comprehensive security programs including assessing existing cybersecurity practices, identifying gaps and risks, developing and implementing controls designed to reduce risk, engaging stakeholders across the organization, assisting with incident disclosure, and continuously improving programs to maintain best practices.
Disclaimer: The information provided in this blog post is for informational purposes only and not intended as legal advice. Public companies are advised to consult with legal and cybersecurity experts to ensure accurate and up-to-date compliance with the SEC’s Cybersecurity Rule.
