What are the SEC Cybersecurity Rules?
The new SEC cybersecurity rules are a set of regulations for public companies around cybersecurity risk management, strategy, governance, and material incident disclosure. these new rules are finalized by a 3-2 vote on July 26, 2023. The SEC now requires companies to report on their cybersecurity and risk management practices. Companies are mandated to disclose any cybersecurity incidents with potential material impact within 96 hours.
The requirements include establishing cybersecurity risk management policies, conducting periodic risk assessments, ensuring the presence of adequate incident response plans, and disclosing material cybersecurity events to investors. These regulations aim to increase accountability and transparency among public companies. These new rules affect over 7,000 publicly traded entities. You must now prepare to comply with the SEC’s cybersecurity rules.
Potential Pitfalls of Non-Compliance
Non-compliance could lead to legal, financial, and reputational liabilities that could significantly impact your stock performance and market value
SEC enforcement actions
The SEC has authority to bring enforcement actions against companies violating the new rules, which could involve penalties, fines, and other sanctions including revocation.
Class action lawsuits
Shareholders could sue companies for damages related to delayed filing, lax risk management, insufficient controls or inadequate disclosures.
Stock exchanges actions
Companies that are not compliant, could fail to meet stock exchange listing requirements and risk being delisted or suspended from trading, or requiring additional disclosures for delays
Difficulty obtaining insurance
Insurers may deny coverage or increase premiums for non-compliant companies with greater cyber risks.
Failure to comply could hurt a company’s reputation with investors, shareholders, and customers, especially if major breaches result from lax security.
Weak cybersecurity or non-compliance may limit a company’s ability to win new business or expand offerings. There is a potential for competitive disadvantage.
Material incident disclosure
Material incidents are those that a reasonable investor would consider important to make investment decisions. Companies need to disclose these incidents by filing an 8-K form within 4 business days of determining the incident is material. The 8-K should provide details on the incident’s nature, extent, potential impacts, and remediation efforts. Details may not include cyber security details that may compromise remediation or company assets. Ongoing investigation details should also be provided as they become available. SEC considers that prompt disclosure is important to maintain market integrity and trust.
Factors that impact materiality
The main factor for materiality is the financial impact of the incident. This implies assessing the monetary losses, costs of remediation, and/or impact on revenues. Another factor to consider is the effects on the company’s services, customers, and ability to conduct business. Operational disruptions, loss of customers, or downtime caused by an incident would point to material impact. Companies may evaluate the legal risks and potential regulatory actions that could arise. This could also include contractual obligations, violations of data privacy laws, and such. Finally, the reputational damage and loss of investor/customer trust should be taken into account, which could have long-term impacts beyond immediate financial losses. Having a documented process trail of this assessment is critical.
300-500 daily incidents of consequence
In a recent survey, over 50% of companies indicated that they process more than 10,000 incidents per day. Of this nearly 3-5% are incidents of consequence, meaning confirmed compromise or damage. Imagine conducting materiality assessments for 500 incidents per day. A 5% delay could result in an annual backlog of over 9000 incidents. Companies must also consider 3rd party material incidents or vendor incidents of consequence. Additionally, you may have contractual obligations to inform your customers.
SEC Cybersecurity Compliance
Compliance with the new SEC cybersecurity rule should be on of your key priorities. A smart and comprehensive compliance program could substantially reduce risks and pay dividends across your organization. An investment in Essert’s AI-powered solution, and expertise to embed security controls, could substantially reduce material incident likelihood. Additionally, a board oversight strengthens cyber resilience and signals to investors, regulators, and partners that cyber risks are taken seriously.
Comprehensive Compliance Program
Getting ready for compliance does require a comprehensive compliance program. This could include operationalizing frameworks for your organization, mapping SEC cybersecurity rules to existing management security controls, developing comprehensive risk profiles as part of your risk management framework, generating robust policies for preventative safeguards, and maintaining continuous compliance using SOPs. A key element of the new SEC cybersecurity rules is incident materiality at scale. Essert has AI-powered solutions and apps to help you achieve compliance rapidly and using automation.
Have More Questions?
Feel free to download our whitepaper on the SEC cybersecurity rules for clarification. We’re here to help you with any inquiries you may have.