With hackers and breaches continuing to make more headlines daily, the new SEC cybersecurity rule is a godsend. Unprecedented cyber disasters can be expensive if a malicious entity interferes with regular business operations, demands a large ransom, or pilfers sensitive customer information or valuable intellectual property. In addition, damaging your company’s reputation will likely worsen while you work to limit the breach. To defend themselves against cyber threats, businesses want their legal, IT, risk, audit, and ESG teams to monitor and carefully select third-party vendors.
The recently finalized Securities and Exchange Commission (SEC) cybersecurity rule is aimed at offering more transparency in risk management, governance, and incidents. This rule’s cyber risk management and event disclosure requirements will take effect in mid-December 2023 for publicly traded corporations on a U.S. stock exchange or in spring 2024 for qualified small companies. Businesses that proactively identify and address vulnerabilities will have an advantage due to the law requiring corporations to publicly disclose certain aspects of their security programs.
Under the SEC’s new cybersecurity rule, companies must notify stakeholders of cybersecurity issues within four business days after deciding that the occurrence is significant, with a few specific exceptions. There is no deadline provided by the SEC for reaching that conclusion. Companies will still be required to provide management with information on board members’ cybersecurity competence, even though the rule does not require them to do so. There are many other requirements for this rule, which we will discuss in this article.
In this blog, we will look at what this new SEC cybersecurity proposal outlines, who it impacts, how your organization can prepare for its enforcement, and what best practices you can follow to ensure its implementation.
What is Included in SEC’s New Cybersecurity Proposal?
Companies are required to report significant cybersecurity incidents using Form 8-K within four business days, along with details on the scope, kind, timing, anticipated material effects on the company, and updated 8-Ks regarding previously reported incidents. They should also reveal their cybersecurity risk management plans and processes and periodically provide updates on previously reported cybersecurity incidents. In addition to this, businesses must now include some of the following bullets about their risk-management procedures in their 10-K:
- A synopsis of their cybersecurity risk management program;
- Ways they interact with independent auditors or consultants;
- Strategies for incident mitigation, detection, and prevention;
- Procedures for business continuity and recovery in case of a breach;
- A business strategy about the cybersecurity risk posed; and,
- The possible effects of cybersecurity risk on the company’s finances.
Companies must also reveal all cybersecurity governance procedures and the cybersecurity knowledge of their board of directors.
The rule also establishes an extremely limited exception to the four days if the attorney general of the United States concludes that publication would seriously jeopardize public safety or national security. Moreover, the attorney general must give the SEC a written report on that decision.
The guideline states that you must decide if a cybersecurity issue is material without unreasonable delay, but it doesn’t say how long you have to do it.
Here are some other disclosures mentioned under the requirements:
- Disclosures about cybersecurity risk assessment, identification, management policies and procedures, and management’s involvement in their implementation.
- There is no requirement for firms to reveal the cybersecurity experience of their board members; nevertheless, they must report the role and competence of management in evaluating cybersecurity concerns.
- Disclosures filed with Inline eXtensible Business Reporting Language (XBRL) tagging make it possible for investors to extract and examine data quickly.
Cybersecurity incidents for foreign private issuers must be recorded on Form 6-K and the Form 20-F annual report.
Who Does the New SEC Cybersecurity Rule Impact?
Due to the strong relationship between cybersecurity and compliance, the SEC’s new rule will have an impact on a number of parties, including:
- Investors: They will be better informed regarding incidents, security protocols, and risk levels
- Boards of Directors: They must gain additional cybersecurity knowledge and supervision.
- Executives: They will have to prepare their papers by working with the legal and financial departments and doing an exhaustive assessment of their cybersecurity posture, thereby ensuring smoother business continuity in case of a disaster.
- Security Teams: They must improve their capacity for breach reporting and detection.
How Can Businesses Prepare Readiness for the New SEC Cybersecurity Rule Enforcement?
Companies can and should assess their present cybersecurity technology stack, policies, and breach response processes to take action to get ready for rule enforcement. Running a data risk assessment to evaluate your security posture is also smart. The steps listed below will assist you in getting prepared for the new SEC disclosure rules:
- Modify Incident Response Processes
Companies should review their cybersecurity policies frequently to ensure they offer adequate disclosure controls and procedures, including coordination between the infosec, investor relations, and legal teams. These communication channels and policies will be essential for quickly evaluating and escalating suspected cybersecurity events. You should also review and update the new disclosure standards in policies.
- Assess Board Oversight Structures
While your company may already disclose the board’s responsibilities for monitoring cybersecurity risk in its proxy statements, proposed rule changes present a wide range of board-related issues that must be addressed. Boards that have yet to charge a specific committee monitoring cybersecurity exposures must decide whether this action is right. It would help if you considered increasing the time the board allots to cybersecurity during sessions.
- Improve Cybersecurity Capabilities of Executives
Executives with cybersecurity expertise and capabilities will undoubtedly face pressure on the job market if and when these new SEC disclosure rules go into force. Therefore, you should prioritize those people in any executive candidate searches and recruiting procedures.
Since these executives will also be listed on disclosures, annual reports, and proxy statements, companies will need to consider whether their evaluations of their executive experience fit with the standards put forth by the SEC.
- Minimize the Risk of Disclosures
The greatest way to get ready for any new SEC regulation changes is to lower the risk of compromise and breach in the first place, which reduces the likelihood of disclosure. Executives, legal teams, and CFOs would encourage their companies to work with an expert partner in cybersecurity and compliance who can help on many different levels.
To help lower the risk of ransomware, phishing, and other attacks, your security partner should be able to help evaluate and modify your cybersecurity policies and procedures. Additionally, your security partner should be able to assist with breach prevention, response, mitigation, and reporting training for the legal, infosec, and operational departments.
Best Practices to Ensure Smoother Implementation of the New SEC Cybersecurity Rule
The SEC cybersecurity rule will impact risk and audit teams and financial reporting departments as businesses prepare for it. The former must consider strategies to minimize risk and implement a cybersecurity risk management program.
The new rule will not only put more strain on organizations experiencing an incident, as major cybersecurity events are naturally stressful, but it will also raise the risk of non-compliance for registrants in two scenarios:
- When the SEC conducts enforcement action because it is dissatisfied with the registrant’s disclosure of the cybersecurity incident and,
- When a cybersecurity event becomes apparent after the registrant decides it was not material, the SEC takes enforcement action against the registrant for failing to disclose.
Given the high risk and possible repercussions of non-compliance with the SEC cybersecurity rule, organizations should aim to:
- Think about implementing several security levels, such as multi-factor authentication techniques;
- Review their procedures for detecting security breaches so that they can react quickly in the event of a violation;
- Examine the cybersecurity policies and customer support offered by their providers so that businesses can be sure they will be notified in the event of a security crisis;
- Assess their governance, risk, and compliance (GRC) procedures and preparedness to handle a major cybersecurity event in light of the new disclosure regulations;
- Account for the possible consequences of breaking the new regulations and do a cybersecurity risk assessment as part of your enterprise risk management (ERM) procedure;
- Put a successful cybersecurity and IT risk management program in place, update current policies, procedures, and processes, or introduce new ones;
- Provide and execute a strong internal control framework for their incident management program; and,
- Examine how well their cybersecurity incident management program works to see if internal controls are appropriately created and functioning.
Being proactive can assist in fortifying your organization’s resilience against cybersecurity threats and help you be ready to respond to, mitigate, and report significant cybersecurity occurrences by the new SEC cybersecurity regulation.
Security and Compliance with Akitra!
Establishing trust is a crucial competitive differentiator when courting new SaaS businesses in today’s era of data breaches and compromised privacy. Customers and partners want assurances that their organizations are doing everything possible to prevent disclosing sensitive data and putting them at risk, and compliance certification fills that need.
Akitra offers an industry-leading, AI-powered Compliance Automation platform for SaaS companies. Using automated evidence collection and continuous monitoring, together with a full suite of customizable policies and controls as a compliance foundation, our compliance automation platform and services help our customers become compliance-ready and certified for security and compliance frameworks like SOC 1, SOC 2, HIPAA, GDPR, PCI DSS, ISO 27001, ISO 27701, ISO 27017, ISO 27018, NIST CSF, NIST 800-53, NIST 800-171, FedRAMP, CCPA, CMMC, and more such as CIS AWS Foundations Benchmark, etc. In addition, companies can use Akitra’s Risk Management product for overall risk management for your company, Trust Center, and AI-based Automated Questionnaire Response product to streamline and expedite security questionnaire response processes, delivering huge cost savings. Our compliance and security experts will provide customized guidance to navigate the end-to-end compliance process confidently.
The benefits of our solution include enormous savings in time, human resources, and cost savings, including discounted audit fees with our audit firm partners. Customers achieve compliance certification fast and cost-effectively, stay continuously compliant as they grow, and can become certified under additional frameworks using a single compliance automation platform.
Build customer trust. Choose Akitra TODAY!
To book your FREE DEMO, contact us right here.