Navigating the SEC Cybersecurity Regulations: How to adapt for compliance

SEC set on top of American flag

On July 26th, the Securities and Exchange Commission (SEC) officially unveiled the much anticipated new rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies. The development of these new rules has been met with some controversy, and there have been significant revisions since the publication of the Notice of Proposed Rulemaking (NPRM) in March 2022.  After a final 3-2 vote, they are now in effect, and companies now have only five months to address some of the requirements.

An overview of the SEC Cybersecurity Regulations

The SEC’s regulations recognize that cyber threats pose a serious risk to our capital markets and are therefore placing cybersecurity on top of its enforcement priorities. The commission will now require companies to make prompt, robust disclosures of cybersecurity incidents and implement protective measures against cyber attacks.

The SEC has introduced three key cybersecurity initiatives in response to the evolving cyber threat landscape:

  1. Additional rules addressing cybersecurity risk and related disclosures.
  2. Rule amendments to better inform investors about a company’s cybersecurity risk management, strategy, and governance, and timely notification of significant cybersecurity incidents.
  3. Rules to enhance fund and investment adviser disclosures and governance related to cybersecurity risks.

These rules require companies to disclose cybersecurity incidents within four days of discerning a material impact on their business operations with a Form 8-K. The rules also require businesses to provide detailed insights into their cybersecurity risk governance in their annual filings (Form 10-K). The adoption of these rules marks a significant shift in the cybersecurity landscape, reinforcing the need for effective exposure management.

Upcoming deadlines for the SEC’s Cybersecurity Requirements

There is not much time for security leaders to adapt to the new regulatory requirements. The requirement to describe the company’s cyber risk management, strategy, and governance will be effective December 15, 2023. The incident disclosure requirement will be effective from either December 18, 2023, or 90 days after Federal Register publication. Smaller companies will have until June 15, 2024, to comply with the incident disclosure requirement.

It’s worth noting that there is no current alignment between the SEC’s reporting requirement and state-level data breach reporting laws, or the proposed Critical Infrastructure Incident Reporting requirements from the Cybersecurity and Infrastructure Security Agency (CISA). Therefore, there will be a complex matrix of reporting requirements for security and legal teams to address in the event of a serious security incident.

Key questions for security and risk leaders

To ensure compliance with the SEC’s new regulations, chief information security officers (CISOs) and chief risk officers (CROs) should consider the following questions:

  • Do we have a robust process for reporting cybersecurity incidents? It’s crucial to understand the internal escalation and external reporting processes, and ideally, test them before an event occurs.
  • How do we determine the materiality of a breach or attack? The responsibility of determining materiality should be shared among the CFO, General Counsel, CISO, CIO, and front-line business leaders.
  • Are our processes for determining materiality thoroughly documented? If the SEC questions your conclusion, you need to provide detailed documentation of your processes and considerations.
  • What level of information should we disclose? Balancing compliance with the need to protect sensitive information is a critical consideration.
  • Can we report within the four-day period? The clock starts ticking not when the incident occurs or is detected, but when it is determined to be “material.”
  • How will we comply with the requirement to report related occurrences that qualify as “material”? Events that are related need to be reported if a company determines they’re material.

How to comply with the SEC requirements with exposure management

Given the short window public companies are working under to comply with SEC standards, organizations will need to act quickly to avoid non-compliance. To ensure SEC reporting is accurate, security and risk leaders must prioritize achieving the right level of visibility into their cybersecurity posture.  Additionally, executive management and the Board of Directors will also expect more detailed reporting and insights into the organization’s current level of cyber resilience.

An effective threat exposure management program gives security leaders the confidence that they have a complete understanding of their cyber estate and the security posture of all of their assets. This allows them to build reporting against different control frameworks such as the NIST Cybersecurity Framework (CSF) or CIS Critical Security Controls and ensure that their business is adopting the right preventative measures to meet the SEC standard.

Also, by understanding not only the current security status of their assets, but also the potential business impact to high-risk applications, or employees, they are better able to address ‘materiality’ and ensure that they are reporting cybersecurity incidents that meet this threshold.