What the New SEC Cybersecurity Rules Mean for Public Companies

Cyber incidents and losses escalate every year and the impact on every organization can range from significant to crippling. With the average cost from a data breach in the U.S. now approaching $10 million and losses in market value for victim companies sometimes exceeding $100 million, it was time for the U.S. Securities and Exchange Commission (SEC) to introduce robust cybersecurity rules for public companies. This was an obvious necessity to protect investors and the integrity of U.S. securities markets. As a C-level executive or person with responsibility for cybersecurity, understanding these rules is crucial for remining in compliance with the new regulations, maintaining a strong security posture, and the financial health of your organization.

An introduction to the SEC's New Cybersecurity Rules

The SEC's new regulations go into effect on December 18, 2023. They focus on enhancing and standardizing public company disclosures related to cybersecurity risks and incidents. Some of the key elements include:

• Cybersecurity risk management, strategy, and governance – companies must provide a more granular view into their cybersecurity practices. Claiming to embrace best practices is no longer sufficient.
• The board's role in cybersecurity oversight – boards will need to demonstrate expertise and understanding of current cybersecurity challenges and defenses.
• Cybersecurity incident disclosure – a four-day deadline for disclosure will place additional pressures on victim companies and knowing what must be disclosed and when will be critical for compliance.

A More Detailed Review of the Key Elements

To properly address the new cybersecurity risk management, strategy, and governance requirements, companies will need to disclose detailed information about their policies, procedures, and strategies surrounding cybersecurity risks. The new SEC regulation mandates that companies disclose their cybersecurity policies and procedures, emphasizing the importance of a well-documented cybersecurity framework. In addition, CISOs must ensure their companies communicate their risk management strategies and demonstrate how they identify, assess, and mitigate cybersecurity risks.

The role of the board in cybersecurity oversight has been expanded under the new regulations. Just as boards must have expertise in finance and other areas, boards will need to either have active membership or access to adequate expertise in the process of overseeing the organizations cybersecurity risk policies, processes, and management. The SEC is sensitive to the risk of forcing a transfer of budget or resources away from defense and has provided latitude for smaller companies where there would be a trade-off. The goal is to increase the accountability of the board in ensuring the effectiveness of cybersecurity policies and risk management.

The most concerning and perhaps confusing impact of the new regulations will be in the are of cybersecurity incident disclosure. Public companies have always had a requirement to disclose most events that will have a material impact on financial results within four business days. The new regulations simply make it clear that this now also applies to cyber incidents that will have a material impact on the business. The definition of 'material' is broad and open to a range of reasonable interpretations. It encompasses any incident that is reasonably likely to impact the company's operations or financial condition. The recent clarification from the SEC provides that companies do not need to disclose information that will result in additional damage or losses.

Will This Be a SOX Moment for Cybersecurity?

The answer to the above is probably not. Sarbanes-Oxley was the product of massive fraud that hurt investors and eroded trust in public markets. The intent of the SEC is to avoid a repeat, but this time it can be accomplished with much more finesse and a much smaller hammer.

The new SEC cybersecurity rules represent a significant change in how public companies must handle many elements related to cybersecurity. As a CISO, security professional, C-level executive, or senior manager, staying ahead of these changes is critical. Implementing robust cybersecurity frameworks, engaging with the board, and maintaining transparency through prompt incident disclosure will be key to navigating this new regulatory landscape.