SEC’s new rules on cybersecurity disclosure

July 26, 2023 was an eventful day at the Securities and Exchange Commission (SEC) besides being an eventful day for me as it was my birthday. On my birthday, the SEC, a body pivotal to the financial security of our nation, stepped forward to bring about a pivotal change in the form of newly adopted rules around cybersecurity. The new rules focus squarely on the growing importance and the critical nature of cybersecurity. They will become effective 30 days following publication.

One sentence summary: Ensure you have a written cyber security strategy from the boardroom to the data center and ensure you have board members with appropriate cybersecurity knowledge and experience who are focused on cybersecurity governance and compliance.

Imagine, if you will, the vast array of businesses and organizations that fall under the purview of the SEC – the ‘registrants’. And many more use the SEC rules as guidelines while they either pursue SEC registration or do business with SEC registrants. These entities are now required, as per the new rules, to publicly disclose any material cybersecurity incidents they encounter. This move isn’t just about transparency; it’s about accountability and creating an environment where cybersecurity is prioritized.

Additionally, these registrants are now obligated to disclose material information about their cybersecurity risk management, strategies, and governance on an annual basis. This annual report, akin to a comprehensive health check, will give stakeholders a holistic view of a company’s cybersecurity posture, resilience, and their readiness to combat digital threats.

Significantly, the SEC has cast its net wide, extending these rules to foreign private issuers as well. The message is loud and clear: in this interconnected world, cybersecurity is a global issue, transcending borders.

To truly understand the impact of these rules, let’s review a summary of the new rules.

Based on the SEC’s final rules:

  1. Disclosure of Cybersecurity Risk Management Strategy: Registrants are required to disclose whether they have adopted a cybersecurity risk management strategy. If such a strategy has been adopted, they are required to describe the key features of the strategy. This should be disclosed in the registrant’s annual reports.
  2. Disclosure of Cybersecurity Governance: The rules require disclosure about the registrant’s governance of cybersecurity risks and incidents. This includes the role of the board of directors or similar governing body in overseeing the registrant’s cybersecurity risk management strategy and incident response efforts. This differs from risk management disclosure as governance focuses on the oversight and decision-making process, while risk management focuses on the actual strategies and actions taken to mitigate risks.
  3. Disclosure of Material Cybersecurity Incidents: Registrants are required to promptly disclose any material cybersecurity incidents they experience. This includes the nature and scope of the incident, its impact on the registrant’s operations, and the registrant’s response to the incident. This should be disclosed on Form 8-K within four business days of determining the materiality of the incident. Some flexibility is provided for security or other concerns.
  4. Quantitative Metrics and Industry-Specific Information: The SEC document does not explicitly require the disclosure of quantitative metrics or industry-specific information. However, the SEC encourages registrants to provide as much specific and detailed information as possible to allow investors to understand their specific cybersecurity risks and incidents.

This monumental decision by the SEC is an endeavor to bolster the cybersecurity framework of registrants. It’s a persuasive call to action for companies to proactively tackle cyber threats, setting a benchmark for cybersecurity protocols worldwide.

In this era where information is the new gold, these rules are a testament to the SEC’s commitment to safeguarding this treasure trove, promoting transparency, accountability, and fostering a safer digital landscape. Cybersecurity governance is one area that the SEC appears to have solid footing and advice and is proactively setting a standard to follow.

Here is the link to the ruling press release: https://www.sec.gov/news/press-release/2023-139

Leave a Reply

Your email address will not be published. Required fields are marked *