What’s Included in the SEC’s New Cybersecurity Requirements for Companies?

In today’s rapidly evolving digital landscape, cybersecurity has become an ever-present concern for businesses of all sizes. As technology advances, so do the threats that can potentially compromise sensitive data and disrupt operations. 

Recognizing the importance of addressing these risks, the U.S. Securities and Exchange Commission (SEC) has introduced new cybersecurity requirements for companies, impacting not only publicly traded entities but also private foreign issuers. 

In this comprehensive guide, we will delve into the key aspects of these regulations, exploring their implications and providing insights into what companies need to do to ensure compliance.

What are the SEC’s New Cybersecurity Rules? 

The SEC’s new cybersecurity requirements represent a significant shift in how companies handle and report cybersecurity incidents. These regulations introduce mandatory cyber-incident reporting requirements for all U.S.-listed companies. 

Domestic issuers are now obliged to disclose material cybersecurity incidents in Form 8-K filings, while private foreign issuers must submit Form 6-K filings to disclose material cyber-incidents.

Materiality Standard and Reporting Timeframe

One of the critical aspects of these new rules is the concept of “materiality.” Issuers are required to disclose cybersecurity incidents that are determined to be material by the company. This materiality standard aligns with other 8-K disclosures under U.S. securities laws. 

It’s essential to emphasize that materiality refers to the impact of the incident on the company’s financial condition and its operations. These disclosures must be filed within four business days after a company determines that it has experienced a material cyber-incident.

However, it’s worth noting that this four-day reporting window has sparked criticism. Some argue that it may not provide enough time for companies to confirm a breach, understand its full impact, and coordinate notifications. Additionally, there is a degree of uncertainty around the precise definition of “material” incidents, which further complicates compliance efforts.

Governance and Risk Management Disclosure

In addition to incident reporting, U.S.-listed companies are now required to disclose information related to risk management and governance in the realm of cybersecurity. 

This includes details about board proficiency and oversight of cybersecurity risks, which should be included in their annual Form 10-K and Form 20-F filings. These disclosure requirements apply to fiscal years ending on or after December 15, 2023.

While not explicitly mandated, companies are expected to provide specific information about board proficiency in cybersecurity. This expectation presents a unique challenge for many boards of directors. 

While some directors may possess high-level expertise in the field, they may not be intimately involved in the day-to-day activities of the organization. Thus, businesses must find effective ways to bridge this gap.

Implications for All Companies

It’s crucial to emphasize that these new SEC regulations are not exclusive to public companies. They apply to all U.S.-listed companies, irrespective of their size or industry. This means that even private companies, including those based overseas, must adapt to these requirements to ensure compliance.

Steps to Ensure Compliance

Compliance with the SEC’s new cybersecurity requirements is imperative for all affected companies. Failing to do so can lead to regulatory scrutiny, reputational damage, and potentially severe financial consequences. To navigate these regulations successfully, companies can take the following steps:

  • Assessment and Risk Analysis: Begin by conducting a thorough assessment of your organization’s current cybersecurity posture. Identify vulnerabilities and assess potential risks to determine the materiality of incidents.

  • Incident Response Plan: Develop a robust incident response plan that outlines the steps to be taken in the event of a cybersecurity breach. Ensure that this plan adheres to the new reporting timeframe and addresses the specific requirements set forth by the SEC.

  • Board Proficiency: Companies should evaluate the proficiency of their boards when it comes to cybersecurity. This may involve training or the inclusion of cybersecurity experts on the board to bridge the knowledge gap.

  • Governance and Oversight: Strengthen governance and oversight processes related to cybersecurity. This includes defining roles and responsibilities for managing cyber risks and ensuring that these processes are well-documented.

  • Educate and Train: Ensure that all employees are aware of the new regulations and their role in compliance. Provide cybersecurity training and awareness programs to empower your workforce to recognize and respond to threats effectively.

  • Continuous Monitoring: Implement continuous monitoring and auditing of cybersecurity practices to identify and address any gaps or weaknesses proactively.

Stay Ahead of Changing Regulations

The SEC’s new cybersecurity requirements represent a significant step forward in addressing the ever-increasing threats in the digital realm. These regulations underscore the importance of transparency and preparedness when it comes to cybersecurity incidents, and they apply to all U.S.-listed companies, public and private alike. It is essential for companies to take these requirements seriously and implement the necessary measures to ensure compliance.

At BrainStomp, we understand the significance of these new regulations and are committed to assisting companies in navigating the complex landscape of cybersecurity compliance. If you have any questions or need guidance on how to address these requirements effectively, please do not hesitate to contact us. We are here to help you safeguard your business and maintain the trust of your stakeholders in this digital age.