SEC Ruling Is a Win for Citizens’ Digital InformationSEC Ruling Is a Win for Citizens’ Digital Information
An SEC ruling not only should provide benefits to investors and consumers, but also help to keep corporations safer from cyber attacks.
October 13, 2023
The US Securities and Exchange Commission recently adopted rules mandating that registrants disclose material cybersecurity incidents they experience as well as information related to cybersecurity risk management, strategy, and governance. Foreign private issuers must also make comparable disclosures.
Combined, the rules will prove to be a significant benefit for all US citizens. These new SEC rules require that a form be filed four days after a registrant -- which is any company that files documents with the SEC -- determines that an incident could impact the decisions of a reasonable investor.
Benefits of Timely Incident Disclosure
Timely disclosure of an incident helps companies and investors alike because delays in disclosure can increase the possibility of harm to impacted parties. Consumers and investors may lose trust in a company if they believe it has not been transparent about an incident, leading to a decline in stock prices that hurts everyone involved.
Understandably, there is an exception to the rules if the US Attorney General determines disclosure could pose a threat to national security or public safety. Still, the new standard for disclosure helps to fulfill any legal obligations to report at the federal and state levels, and it empowers consumers and affected parties to move quickly to minimize harm resulting from a material incident.
Despite a growing number of requirements for cybersecurity and incident reporting, many organizations still resist disclosure. A Bitdefender survey earlier this year showed 42% of security professionals were told to cover up breaches instead of reporting them, while nearly a third actually did keep a breach confidential. This was the case when former chief security officer at Uber Joseph Sullivan attempted to cover up a hack in 2016 and was then convicted for doing so in 2022. The conviction emphasized that covering up breaches is indeed a serious criminal offense and comes with consequences. The new SEC rule will provide increased protection from these cover-ups as it adds more concrete requirements for timely incident disclosure by public companies.
Annual Reporting on Cybersecurity Risk Measures
The disclosures related to cybersecurity risk management, strategy, and governance ensure that investors and the public at large have greater assurance that public companies are working hard to protect their digital information. According to Verizon’s 2023 Data Breach Investigation Report, North America saw 9,036 incidents, almost entirely from external threat actors (94%) with financial motivations (99%). It’s a small wonder the SEC is pushing for organizations to report their processes for “assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.”
The annual disclosure requirement will push organizations to invest more in cybersecurity simply because investors will have greater insight into what the company is doing to manage risk. It also brings responsibility to the board of directors, requiring a description of the board’s oversight of the risks of cybersecurity threats and how they assess and manage these risks. This change in reporting and clarity about the role of the board and management ensures that investors can apply pressure to improve overall cybersecurity in public companies.
With more robust security mechanisms in place, these organizations may discover that they will no longer be in a position where they need to disclose at all, because improved cybersecurity measures significantly reduce the number of successful material incidents. Additionally, public company boards should become better educated and aware of cybersecurity, and we may even see a shift of cybersecurity experts filling board positions.
How Can Public Companies Get Ready?
To respond to the timely disclosure rule, an organization must have a tested, comprehensive cyber incident response plan in place, backed by the cybersecurity risk management, strategy, and governance measures. On December 15, the new rule for annual disclosures goes into effect for all public companies, while the material incident disclosures go into effect on December 18 for public companies and foreign private insurers filing on domestic forms. Smaller companies have a bit more time, taking effect on June 15, 2024. So how can public organizations prepare for these changes?
Cybersecurity awareness: Security awareness training empowers employers by ensuring they are knowledgeable about threats and comfortable with identifying and reporting suspicious activity. Additionally, it’s important for boards to include cybersecurity experts but also drive cyber awareness from the top down.
Zero-trust: Adoption of zero-trust policies and solutions is the best way to mitigate potential cyber incidents in the first place. Organizations should never trust and always verify.
Threat intelligence: Threat intelligence enables security teams to hunt for and detect known and unknown threats, strengthening cybersecurity measures.
Incident response: Establish policies and procedures in advance -- and retest them regularly -- to reduce overall response time during a material incident. This can reduce potential downtime and damage caused by a cyberattack as well as enable companies to understand when and if an incident is considered material and report on it as needed within the four-day timeframe.
The extent of an attack impacts both the recovery procedure and the obligations related to breach notifications. After successfully mitigating a cyber incident, organizations need to proceed with data restoration from backups while also tending to any vulnerabilities in their security measures. Leveraging insights gained from the incident, organizations can adapt their incident response plans and implement strategies and security measures that enhance detection and expedite containment of potential future attacks.
About the Author(s)
You May Also Like