The Securities and Exchange Commission’s (SEC) finalized cybersecurity rules expand public companies’ cyber risk management and disclosure responsibilities. A host of new requirements not only mandate timely disclosure of material cybersecurity incidents — within four days of determining materiality — but also of a company’s broader risk management, strategy, governance, and oversight responsibilities.
The impact of these rules goes beyond compliance and will affect both public and private companies alike. The rules reveal changing currents in the state of cybersecurity, as well as the evolving responsibilities borne by both C-level executives and board members when it comes to keeping their organizations safe.
Here’s what you need to know about the SEC’s new rules, as well as their larger context, and how leaders can prepare to meet these new requirements.
What You Need to Know: The Fundamentals
The SEC’s final rules require companies to disclose their risk management, strategy, and governance processes, as well as the roles of both management and boards, in assessing and managing cyber risk. This includes the committees responsible for cybersecurity oversight and how they are kept informed. The SEC’s rules mandate public companies disclose material cybersecurity incidents within four business days of determining materiality (see paragraph below for additional information regarding Materiality). These companies must also report material cybersecurity incidents disclosed in a foreign jurisdiction or to stock exchanges or to security holders.
Materiality — the determination that an incident would be significant to a reasonable investor — is not, in this case, black and white. It requires a judgment call based on quantitative and qualitative factors, which means companies must be confident in their ability to quickly detect and analyze a breach and report their findings to internal and external stakeholders.
Understanding these cybersecurity rules is only the first step. Consider asking the following questions to help your company comply with the new requirements.
- Do we have proactive reporting measures in place in addition to our detection and response plans to comply with the new requirements?
- Do we have the internal processes created and resources allocated to report on cyber risk management and corresponding risks?
- As a public company, do we have communications channels assembled to report on material breaches within the short reporting window? This would include roles and responsibilities assigned to personnel within or outside the company. Conversely, as a private organization, do we have the resources and processes in place to report on cyber breaches that may impact our public company customers, should we be required or asked to do so?
- Have we considered pursuing an external assessment, such as a systems and organization control (SOC) for cybersecurity report or a maturity/gap assessment, to further aid our preparedness and program maturity?
Not a public company? Read on to learn how this may still impact you.
The State of Cyber Compliance Is Impacting All Companies
The SEC is not the only governmental body creating new rules concerning cybersecurity disclosure. State and local organizations, like the State of Minnesota and the New York Department of Financial Services, have introduced similar regulations, as has the European Data Protection Board with its General Data Protection Regulation (GDPR). While the SEC’s rules are directed at public companies, the writing is on the wall for organizations of all classifications. The interconnected nature of today’s business landscape means that even private companies should anticipate the downstream effects of these regulations.
For example, as with the GDPR reporting requirement, private companies serving public companies may become contractually required to help their public company customers comply with the new rules. These rules may not always neatly align with existing regulatory reporting requirements. Therefore, an increased focus on vendor risk and contractual management will be more critical than ever.
It’s easy to see why these regulations have appeared in recent years. Just as defensive cybersecurity measures — such as firewalls and antivirus software — led to proactive, offensive capabilities like threat hunting and detection tactics, the industry has now evolved to focus on the ability to quickly assess and report on the materiality of cyber incidents. The longtime reality that the question of a cyber breach is no longer an “if,” but a “when” has led regulators to evaluate companies’ ability to reasonably determine and report on the impact of such incidents on stakeholders – a new challenge companies must prepare to meet.
How Can Company Leaders Prepare?
Cybersecurity is not always front-of-mind for C-level executives, who may lack a comprehensive understanding of their company’s cybersecurity risk management and governance protocols. The SEC’s new rules present a tremendous opportunity for education and increased collaboration between internal stakeholders.
Cybersecurity is a collective responsibility borne at all levels of an organization. Given most breaches occur through tactics that prey on employee error, such as phishing schemes, all stakeholders must understand their roles in preventing and mitigating the effects of a cyber incident. This means not only investing in employee training but also working to break down internal silos that may hamper collaboration when it is needed most.
Even a company with a mature cybersecurity program may lack the speed of reporting necessary to meet the SEC’s four-day requirement for material disclosures. By mapping out the key stakeholders involved in responding to a cyber incident — as well as the information each possesses that is necessary to make a materiality determination — leaders can prepare their companies to meet this requirement before a breach occurs.
Third parties can also help companies prepare to meet the SEC’s new disclosure rules. A SOC for cybersecurity report is a tool for companies to assess their cyber risk management program, including the design and operation of cyber incident reporting, as well as their ability to fulfill obligations related to the four-day reporting requirement. This assessment can help C-level executives and board members more precisely define the company’s cybersecurity processes and readiness levels while preparing them to answer questions about their preparedness from investors, government regulators, and other stakeholders.
Looking Forward to What’s Next
The SEC’s finalized cybersecurity rules create a new mandate for public companies – and signal to all organizations that timely disclosure is now a necessary component of any viable cybersecurity program. Alongside recent policies from other governmental bodies, these regulations broadcast that cybersecurity risk prevention and mitigation are no longer enough. When it comes to incident management, companies must be able to quickly assess and report on material cybersecurity events.
With these new rules, companies can improve their cybersecurity preparedness by better defining their cyber protocols, procedures, and channels of communication. Reporting is only one piece of the puzzle — these disclosures can also help companies educate internal team members on their roles and responsibilities concerning cybersecurity, which will, in turn, reduce silos, enhance collaboration, and better prepare a company to respond swiftly and thoroughly when an incident occurs.
Written by Jeff Ward, Michael Krivak and Jason Lipschultz. Copyright © 2024 BDO USA, P.C. All rights reserved. www.bdo.com