Introduction to SEC's new cybersecurity rules
Navigating the intricate landscape of cybersecurity within the realm of public companies has taken on an even more regulated dimension. The imminent implementation of new Securities and Exchange Commission (SEC) Cybersecurity disclosure rules that take effect on September 5, 2023 is redefining the shape of compliance. The new mandates encompass a range of vital changes: (1) disclosures on Forms 10-K and 20-F, beginning with annual reports for fiscal years ending on or after December 15, 2023, (2) Disclosures on Forms 8-K and 6-K will be required beginning December 18, 2023, and (3) Smaller reporting companies must begin providing Form 8-K disclosures starting June 15, 2024. It’s crucial to note that these new regulations amplify prior SEC cybersecurity disclosure guidance and are not replacing them. In essence, these supplemental new rules will require public companies to disclose cybersecurity breaches that could have a material impact on their business within (4) business days. Anyone that has done major Incident Response engagements will understand how hard this could be to accomplish for large breaches, where discovery and investigation can sometimes take weeks. It also increases the significance of Incident Response (IR) planning, particularly concerning the declaration of “incidents”.
Existing compliance regimes
There are many compliance regimes, such as Cybersecurity Maturity Model Certification (CMMC) (formerly Defense Federal Acquisition Regulation Supplement (DFARS), Health Information Technology for Economic and Clinical Health Act (HITEC) and General Data Protection Regulation (GDPR). Each of which strategically establishes a “shot-clock” for when a security incident or breach must be declared. The key here is to have a solid incident response plan tailored to the distinct requirements of each regulation, which includes the following:
- All anomalous activities that might escalate into a security incident should initially be called an “event”;
- The communications plans for discovering security events should have a clear reporting structure which limits the initial audience when events are discovered;
- If an event looks like it might be escalated, the IR plan must designate who the incident lead is, and outside counsel should be engaged for the purposes of privilege as soon as possible;
- There must be a reasonable period of investigation to determine the extent of a security event and what the impact to data, especially regulated data, and company confidential information is, as well as customer and third-party impact; and
- Perhaps most importantly: only the designated IR Lead can declare an actual incident.
Additional implications to the SEC's new cybersecurity rules
Companies must now assess their cybersecurity risks and develop incident response plans. This can be a complex and time-consuming process, but it is essential for ensuring compliance with the new regulations.
Companies must be able to identify and report cybersecurity breaches in a timely manner. This means having a process in place for detecting and investigating breaches, as well as for communicating with investors and regulators.
Finally, companies must be able to demonstrate that they are taking steps to improve their cybersecurity posture. This may involve implementing new security controls, training employees on cybersecurity best practices, or conducting regular security assessments.
The SEC’s new cybersecurity disclosure rules are a significant step forward in protecting investors from the risks of cyberattacks. However, compliance with these rules is not easy. Public companies must take a proactive approach to cybersecurity and make a significant investment in their security posture.
Some of the cybersecurity implications of the SEC’s new disclosure rules.
Strategic incident response planning
Increased focus on cybersecurity: The SEC’s new rules will put a spotlight on cybersecurity for public companies. This will likely lead to increased investment in cybersecurity measures and a heightened awareness of the risks cyberattacks pose. Having a well defined incident response plan that outlines the steps to be taken in the event of a breach, from immediate containment and mitigation to thorough investigation and communication strategies is crucial to minimizing damage and complying with the new rules.
Heightened transparency and accountability
Improved transparency: The SEC’s new rules will require public companies to disclose cybersecurity breaches that could have a material impact on their business. This will improve transparency for investors and help them to make informed decisions about their investments. Underscoring the importance of robust incident detection and response mechanisms.
Legal and regulatory considerations
Stronger enforcement: The SEC has said that it will take enforcement action against public companies that fail to comply with the new cybersecurity disclosure rules. This will help to deter non-compliance and ensure that public companies are taking cybersecurity seriously. Engaging outside legal counsel is an important collaboration between cybersecurity teams and legal experts.
Unpacking the impact of SEC’s new cybersecurity rules and tips for improving cybersecurity posture
In summary, the SEC’s recent cybersecurity disclosure rules are a proactive stride in safeguarding investor interests. However, it is important to note that these rules represent just one segment of a comprehensive strategy. Public companies must also take steps to improve their cybersecurity posture and implement robust protective security measures. Through such initiatives, they can not only fortify themselves from the risks of cyber threats, but also extend a shield of security to their valued investors. Unlocking a stronger cybersecurity stance is well within your reach as a public company. Here’s how you can make it happen:
Designate a Chief Information Security Officer (CISO)
Designate a CISO who can take the lead in developing and executing your company’s cybersecurity strategy. This key individual will be your guide, ensuring that all cybersecurity initiatives are aligned and effective. If you’re struggling to hire a CISO, or if you don’t have the budget, you can accomplish this through an outsourced provider.
Embrace regular security assessments
Regular security assessments will act as a compass, and guide you away from potential cybersecurity pitfalls. By systematically identifying and mitigating risks, you erect formidable defenses against potential breaches and vulnerabilities.
Empower your team through training
Your workforce is your first line of defense. By employees on cybersecurity best practices, you arm them with the knowledge to recognize and thwart threats, like phishing attacks and malware. This proactive approach fortifies your company’s digital fortress.
Craft a comprehensive incident response blueprint
The key to success is preparation. a detailed plan for responding to cybersecurity incidents. This blueprint should outline steps for notifying affected parties, containing the incident, and the path to recovering from an incident. With this plan you’ll be able to tackle any unforeseen challenges head-on.
By embracing these actionable steps, you’re not only bolstering your cybersecurity but you can ensure regulatory compliance. Remember, these steps are your roadmap to a more resilient digital landscape and creating a culture of vigilance and preparedness that safeguards your company and employees, as well as your investors and stakeholders.
Navigating the future: Partnering for cyber resilience and compliance
As you set out to bolster your cybersecurity in the midst of evolving regulations, it’s crucial to recognize that you’re not tackling this challenge alone. At Cyber Defense Group, we can be a trusted partner on your journey towards cyber resilience. Our comprehensive Cybersecurity Assessment services are tailored to help you navigate the intricacies of the new SEC rules and beyond. By partnering with us, you’re not only embracing compliance; you’re empowering your organization to thrive in a rapidly changing digital landscape. Let’s work together to ensure your cybersecurity posture remains strong, adaptable, and aligned with the demands of the future. Remember, cybersecurity is a shared responsibility.
Get in touch with us today and take a proactive step towards a secure tomorrow. Find out more about our Security Assessments today!
Ready to book a meeting to discuss your cybersecurity strategy instead? Book your meeting directly here.