New Cybersecurity Rules from the SEC

article

The SEC (Securities and Exchange Commission) recently approved new rules around cybersecurity that could have significant implications for organizations.

In a move aimed at enhancing cybersecurity disclosures for public companies, the U.S. Securities and Exchange Commission (SEC) announced the adoption of new cybersecurity rules on July 26, 2023. These rules will provide investors with more comprehensive and comparable information regarding a company's cybersecurity risk management efforts.

This blog will break down the new release into three key sections: Risk Management and Strategy, Governance, and Cybersecurity Incidents.

Risk Management and Strategy

The new SEC rules require companies to disclose their processes for assessing and managing cybersecurity risks. This involves developing a robust risk management framework that outlines strategies to identify, mitigate, and respond to potential cyber threats. Companies must now detail their approach to:

  • Assessing and analyzing cybersecurity risks: This includes identifying potential vulnerabilities, evaluating the impact of cyber incidents on financial and operational aspects, and assessing the likelihood of occurrence.
  • Developing protective measures and controls: Organizations are expected to have proactive cybersecurity measures in place such as firewalls, encryption, network monitoring, and employee training to prevent and mitigate cyber attacks.
  • Incident response planning: The rules emphasize the importance of having a well-defined incident response plan. Companies must outline their strategies for detecting and responding to cybersecurity incidents promptly.

Governance

Effective governance is critical in managing cybersecurity risks, and the SEC's new rules underscore the importance of board oversight. Companies are now required to disclose information on the board of directors' role in overseeing cybersecurity risks. Key areas of disclosure may include:

  • Board expertise: Companies are encouraged to have board members with cybersecurity knowledge and skills. Disclosing the presence of directors who possess such expertise will demonstrate a company's commitment to addressing cybersecurity threats effectively.
  • Board involvement in risk management: Boards should actively engage in cybersecurity risk management, including participating in cybersecurity discussions, reviewing risk assessments, and providing guidance on overall strategy.
  • Periodic assessments and reporting: Companies must outline the frequency and methods by which the board receives updates on cybersecurity matters, including reporting channels and mechanisms for monitoring ongoing compliance.

Cybersecurity Incidents

In a rapidly evolving digital landscape, no company is immune to cybersecurity incidents. The new SEC rules emphasize the need for timely and thorough disclosure of material cybersecurity incidents. Companies must now provide more comprehensive information regarding:

  • Incident reporting timelines: Material cybersecurity incidents should be reported promptly. Companies must disclose the timeframe within which they determine an incident to be material and their subsequent reporting actions.
  • Impact assessment: Detailed descriptions of the nature, scope, timing, and impact of the cybersecurity incident on the company's financial condition and operations are required. This will allow investors to assess the potential ramifications of the incident accurately.
  • Remediation and ongoing risk assessment: Companies should disclose their steps to remediate the incident and prevent similar occurrences in the future. This includes ongoing risk assessments, implementing necessary controls, and monitoring for any residual risks.

These new SEC rules represent a significant step towards ensuring consistent and robust cybersecurity disclosures for public companies. By enhancing transparency and providing investors with meaningful information, the rules aim to promote a more proactive and resilient cybersecurity approach.

Remember, the new rules become effective immediately. Companies must carefully review and update their risk management strategies, governance practices, and cybersecurity incident reporting procedures to comply with the SEC's requirements.

Press release: https://www.sec.gov/news/press-release/2023-139

Final rule: https://www.sec.gov/rules/final/2023/33-11216.pdf

Fact sheet: https://www.sec.gov/files/33-11216-fact-sheet.pdf

Conclusion

The proposed SEC rules around cybersecurity represent a significant step forward in strengthening cybersecurity practices across the financial industry. Organizations must take proactive steps to comply with these rules, and ensure their activitiies around risk management, governance, and incident response align to the expectations of the SEC.

Justin Leapline
Founder

With over twenty years of information security experience, Justin have helped organizations through consulting and running security departments. Additionally, Justin serves as a distinguished faculty member of IANS, focusing on compliance, security management, DevSecOps, and assurance.