There are new SEC cybersecurity rules taking effect next week, December 15th, 2023, that will affect SEC regulated companies AND companies that do business with those companies. These new rules were adopted in July and require publicly listed companies to disclose cybersecurity incidents, as well as report about their cybersecurity protection plans.
Reporting Cybersecurity Incidents.
The new rules add mandatory cyber-incident reporting requirements to all US Listed companies. They must disclose material cybersecurity incidents within 4 days in Form 8-k filings.
“Item 1.05 to Form 8-k requires disclosure of the following information regarding a material cybersecurity incident:
- The material aspects of the nature, scope, and timing of the incident; and
- The material impact or reasonably likely material impact on the registrant, including on the registrant’s financial condition and results of operations.”
The 4-day requirement is not tied to the discovery of the incident, but rather to the date that it was determined to be material, which they must make “without unreasonable delay” The SEC suggest that the materiality should be judged from the point of view of a reasonable shareholder.
There are more details in the referenced article, but the important part is that you must report the incidents. A lot of these definitions and details will probably be hashed out in courts and hearings as incidents occur. The best thing we can glean out of all this is that it is very important to be vigilant about what is happening with your systems and have systems and procedures in place to detect when breaches occur quickly and be prepared to go into action.
Companies also need to have in place procedures and methods of determining whether the incident is material. The SEC seems to be leaving it up to the firms to decide if a security incident is material but determining this procedure in the midst of an incident is not the time to figure that out. Do it now, before an incident occurs.
This means that a firm needs to adopt the “assumed breach” mentality and prepare for the worst. In fact, many articles and documents by government agencies and private firms alike encourage this “assume breach” mentality in dealing with cybersecurity plans. Planning for prevention, detection, management, response, and reporting is essential.
Documenting the Cybersecurity Risk Management, Strategy and Governance
The new rules also require firms to disclose their risk management, strategy, and governance relating to cybersecurity in their annual reports. Not only must they address their protection plans, but they also need to describe the board of directors’ oversight of this area of risk. It is prudent to report to your board regularly about how the various security controls are being implemented, monitored, and tested. regular penetration tests can be an important part of these updates.
Firms must describe in detail their process for assessing, identifying, and managing cyber risk, as well as the impact of any cyber-threats and previous incidents on an annual basis. The following is a list of items taken from the SEC’s final rule regarding things that should be reported:
- Whether the registrant has a cybersecurity risk assessment program and if so, a description of the program.
- Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program?
- Whether the registrant has policies and procedures to oversee, identify, and mitigate the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers
- Whether the registrant undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents.
- Whether the registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident.
- Whether previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies.
- Whether cybersecurity related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition and if so, how?
- Whether cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation and if so, how.
As you can see here, there are a lot of questions about this plan, there are not many mandates but the implication of all the disclosure questions is that you want to be able to say yes and have documentation of the plans in detail.
I think the best way to respond is to implement detailed plans for cybersecurity detection, protection, and response. I have outlined the details of such a plan in my article on the new Federal Trade Commission cybersecurity rules, so I will not repeat these best practices here but please look at those here https://itsgllc.com/blog/the-newly-updated-federal-trade-commission-rules-for-safeguarding-customer-information-and-why-it-matters/
These plans generally use industry best practice frameworks that provide for good protection, detection, training, and response. It is best to pick a standard, implement it, document it and be prepared to change and adjust the plan or even the standard as you grow your business and your risk profile changes.
Enforcement
Many people ask, how will this be enforced? Non-compliance leaves companies at risk of fines, sanctions, and criminal prosecutions. The agency has been known to pursue companies and employees with civil actions and other things such as, termination of employment, bans on working at other public companies and fines. Considerer what the SEC did in the Solar Winds case as quoted below from the Information Week article cited below:
“The SEC sent SolarWinds a Wells Notice in October 2022, indicating its intention to pursue enforcement action against the company, according to an SEC filing. In a June SEC filing the company noted that current and former employees, including its CFO and CISO, have received Wells Notices. These notices could mean SEC staff are recommending to “file a civil enforcement action against the recipients alleging violations of certain provisions of the US federal securities laws.”
Private Companies
While not technically covered by this ruling, private companies need to think about this too. It is very possible that these rules will become standard for other companies and insurance policies as well. This is often the case with regulations like this. There are also requirements for any company that handles the data of these regulated companies to be compliant. This means now is the time to get your IT house in order and be prepared by having your own cybersecurity plan ready.”
I am by no means a lawyer or an expert on the SEC, therefore this brief article was intended as an introduction and summary of the new rules and how we, as information technology professionals, can help you to respond. If you want to read the source articles for more detail, links are provided below. If you would like to talk to me about how you can respond to these new requirements, please call, or message me on LinkedIn. We have security services and plans that can help you with all that you need.
Information for this article was taken from the SEC Small Entity Compliance Guide for Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure found here https://www.sec.gov/corpfin/secg-cybersecurity and also from the SEC 17 CFR Parts 229 etc. found here https://www.sec.gov/files/rules/final/2023/33-11216.pdf
Other articles: https://www.informationweek.com/cyber-resilience/are-public-companies-ready-for-the-new-sec-cybersecurity-rules-#close-modal
