The U.S. Securities and Exchange Commission (SEC) has long been an arbiter of transparency and disclosure in the financial world. On September 5, 2023 – in response to the escalating cyber threats businesses face – the SEC finalized a new ruling that demands stricter reporting of cyber incidents.
While this ruling doesn’t effect the majority of companies in the US, the SEC’s new stance is solid guidance for organizations of all sizes to consider.
The SEC’s New Stance on Cyber Incident Reporting
In short, the SEC’s updated stance mandates that public companies be more transparent and prompt in disclosing cyber incidents. While earlier regulations required companies to report cyber incidents that were considered material (having a significant impact on their operations or finances), the new ruling aims to provide more clarity on what counts as “material” and emphasizes more timely disclosures.
Moreover, the SEC now expects companies to maintain appropriate cybersecurity risk management and incident response strategies. This move acknowledges that in today’s digital world, it’s not just about if a cyber incident will happen but when.
Implications for Companies
- Increased Accountability: The SEC’s ruling sends a clear message to publicly traded companies – transparency in cyber incidents isn’t just ethically right, it’s a regulatory must. Companies are now directly accountable to shareholders and the public for their cybersecurity readiness and their response to incidents.
- Broader Definition of Materiality: The previous ambiguity around what counted as a “material” cyber incident often allowed companies to delay or avoid disclosure. With the new rules, companies need to reevaluate what they consider material.
- Regular Risk Management Reviews: Companies will now have to proactively and regularly review their risk management policies, ensuring they’re in line with the best practices and are capable of promptly identifying and addressing cyber threats.
Steps to Ensure Compliance
- Create a Cyber Incident Response Plan:
Every company should have a comprehensive Cyber Incident Response Plan (CIRP) in place. This plan should detail how the organization will respond to different cyber threats, from detection to mitigation to recovery. This not only ensures you act swiftly when an incident occurs but also demonstrates to the SEC and investors that you’re proactive about cybersecurity.
- Foster Real-Time Monitoring and Reporting:
With the SEC’s emphasis on prompt reporting, companies must have real-time monitoring solutions. Investing in advanced threat detection and reporting tools can help businesses identify and report incidents quickly.
- Establish a Strong Communication Strategy:
After detecting a cyber incident, it’s vital to have a communication strategy ready. This includes internal communication to staff and stakeholders, as well as external communication to investors, customers, and, if necessary, the public.
- Review and Update Disclosures Regularly:
It’s not enough to craft a robust cybersecurity disclosure once and then forget about it. Companies need to review and update their disclosures regularly, especially after a significant incident or if the cybersecurity landscape changes materially.
- Engage Legal Counsel Familiar with SEC Guidelines:
Considering the legal implications and the nuances in the SEC’s guidelines, it’s wise to involve legal experts who are familiar with these regulations. They can provide guidance on how and what to disclose to stay compliant.
- Promote a Cybersecurity Culture:
Last but not least, foster a cybersecurity culture throughout the organization. Every staff member should be trained on best practices, the importance of cybersecurity, and their role in maintaining it.
The Big Picture
The SEC’s new ruling signifies a broader shift in the regulatory landscape where cybersecurity is no longer a technical issue confined to IT departments. It’s a business-wide concern with potential financial implications that investors need to know about.
While the ruling may seem burdensome, it encourages companies to be more proactive about their cybersecurity, which, in the long run, benefits the company, its shareholders, and customers. Compliance not only reduces regulatory risks but also ensures that companies are better prepared against cyber threats.
Leveraging industry-accepted best practices and standards provided by organizations such as the National Institute of Standards and Technology (NIST) or the American Institute of Certified Public Accountants (AICPA) will aid management in assessing their current security and security governance posture and ability to comply with this new SEC requirement
At iLLÜM we are passionate about helping our clients overcome IT challenges without simply throwing money at additional technology point solutions. We accomplish this by enabling their existing IT teams to deliver transformative solutions with velocity and improve cyber risk postures.
Our team of senior IT leaders, project managers, and industry-leading IT management platform help organizations tackle their most pressing IT challenges. All our service options are provided on month-to-month subscriptions, so organizations of all sizes can receive expert IT guidance and project management on-demand, within budget, and without the costs associated with long-term commitments.