Imagine making a significant stock investment in the latest hot tech startup—only to find out, much later, that the firm had been the victim of an undisclosed data breach that seriously damaged its customers, reputation, and infrastructure. Would you have invested in the first place had you known the truth?
Fortunately, investors no longer have to dread the financial losses of this scenario thanks to the new U.S. Securities and Exchange Commission (SEC) cybersecurity rules that place significant new reporting requirements on public companies under their jurisdiction. The 2023 FBI IC3 report revealed that data breaches caused over $534 million in losses last year, showing the need for better cybersecurity regulations and disclosures in the financial sector.
The new regulations require reporting any ‘material cybersecurity incident’ to the SEC, in their prescribed format, within four business days of the incident occurring. In addition, you must have processes to rapidly determine whether an incident is ‘material’ and have management and board responsibilities assigned to assess and manage material cybersecurity risks.
Security training and awareness programs are widely recognized as essential components of the kind of effective security strategy that the SEC expects to comply with the new rules.
Is your financial organization’s cybersecurity program disclosure-ready and compliant with the new SEC cybersecurity rules? Let’s examine the key elements of the rules to find out.
The New SEC Cybersecurity Rules: What are they, and who are they for?
The new SEC cybersecurity rules are now in effect, applying to annual reports for fiscal years ending on or after December 15, 2023.
These regulations seek to enhance and standardize cybersecurity disclosures to be ‘more consistent, comparable and decision-useful.‘ They’re designed to introduce greater transparency for all stakeholders regarding the incidence of cybercrime and ensure that organizations have appropriate cybersecurity risk management, strategy, and board-level governance to protect and defend the business.
The new rules apply to public companies subject to the Exchange Act’s reporting requirements. However, the Final Rule release notes that ‘a recent study by two cybersecurity firms found that 98 percent of organizations use at least one third-party vendor that has experienced a breach in the last two years,’ highlighting a potential indirect vulnerability for public companies.
In other words, while your company may be private, you must comply with the new SEC rules if you have a vendor agreement with a public company. Further, given the significant risk from cybercrime, it makes sense to have a mature cybersecurity risk management strategy in place to comply with SEC rules while safeguarding your business and reassuring your clients.
What’s in the New SEC Cybersecurity Rules
The new rules focus on improving and standardizing disclosures related to cybersecurity incidents, as well as reporting on cybersecurity governance, risk management, and strategy for public companies.
Specific requirements include:
1. Disclosure of Cybersecurity Incidents
The SEC’s new disclosure rules aim to increase transparency and provide investors with crucial information about potential risks. Here’s what you need to know about the disclosure process:
Disclosure of Cybersecurity Incidents
In the event of a cybersecurity incident, you are obligated to determine, ‘without unreasonable delay,’ if the incident is considered ‘material.’ This means you need to assess the potential impact on the company’s finances, operations, or reputation.
Material Cybersecurity Incidents
If you determine the incident as ‘material,’ you must file a report using SEC Form 8-K within four business days. This report should detail the incident’s nature, scope, and timing, along with its material impact or reasonably likely material impact.
Determining Materiality
There isn’t a specific financial threshold for materiality. However, the SEC offers guidance based on precedent, referencing a 1976 Supreme Court opinion by Justice Thurgood Marshall. Here’s what constitutes “materiality” according to this precedent:
- There is a “substantial likelihood that a reasonable shareholder would consider it important” in making investment decisions.
- The incident would have “significantly altered the ‘total mix’ of information made available” to investors.
- A reasonable investor would see the incident as ” significantly altering the ‘total mix’ of information made available.”
2. Disclosure of Cybersecurity Risk, Management, and Strategy
In their annual report, covered companies must disclose how they assess, identify, and manage material risks from cybersecurity threats using SEC Form 10-K, as per Regulation S-K Item 106(b). This filing is required to:
- Describe processes for assessing, identifying, and managing cybersecurity risk. This includes whether your cybersecurity program engages consultants, auditors, or other third parties and has processes to identify and manage risk from third parties.
- Describe the effects or likely effects of cybersecurity threats, including those resulting from past incidents (such as data loss), and how these might affect the business, including business strategy, results of operations, and financial standing.
3. Disclosure of Cybersecurity Governance
Using SEC Form 10-K, financial organizations must set out their cybersecurity governance structure, including:
- Details of the board’s role in oversight of risks from cybersecurity threats
- Identity of the committee or subcommittee with oversight responsibility, the experience members have in assessing and managing cyber risks, and the processes in place to ensure timely flow of information.
7 Steps to Prepare for Compliance with the new SEC Cybersecurity Rules
Building a robust cybersecurity program that meets the new SEC regulations requires a company-wide effort. This means bringing together key decision-makers, from the CISO and CFO to the legal team and board. Everyone needs to be on the same page to ensure adequate security management across all departments.
Here are seven key steps to ensure the processes and technologies are in place to support compliant cybersecurity risk management, strategy, governance, and incident disclosure:
1. Identify Your Organization’s ‘Crown Jewels’
The first step is determining which critical operations and infrastructure the business relies on to function and how a cyber incident might impact these. This work will include listing and ranking all assets across your business (including IT, OT, and IoT devices) in terms of risk mitigation and incident response measures.
2. Define ‘Materiality’ As It Applies to Your Business
This critical concept in the SEC cybersecurity rules can vary as it relates to an incident’s impact on a business’s specific operations. Some materiality is not limited to financial impact but may include, where relevant, environmental impacts, impacts on health and safety, and even the broader implications for the regional or national economy.
3. Establish the Necessary Assessment Capabilities
It’s critical to assess the materiality of a cybersecurity incident rapidly. Determine precisely how long it takes to detect, investigate, evaluate, and disclose an incident. Streamline processes and build workflows to reduce response times so that your business can, at minimum, assess and disclose a material incident within the SEC’s required four-day window.
4. Create Incident Response Plans and Disclosure Procedures
These plans and procedures are required to comply with the new SEC cybersecurity rules. Test your disclosure controls and procedures and incident response plans to ensure they work together to address the new report disclosure requirements. Ensure the right people have the training to complete and submit the required forms.
5. Identify Responsibilities of Key Individuals
Your incident response plan should be a transparent roadmap for everyone involved in cybersecurity – from top executives (C-suite) to all employees. It should outline everyone’s role, including who they report to (up the chain) and who they coordinate with (downstream). The plan should also assign clear responsibilities for quickly sharing accurate and consistent information about any significant security incident with internal staff and external stakeholders.
6. Review Your Current Cybersecurity Risk Governance Disclosures
Review your annual reports (Form 10-K) to ensure they accurately reflect board and senior management’s oversight of cybersecurity risks. Focus on board involvement, senior management roles (CISO, etc.), and your overall risk management processes. This ensures compliance with the SEC’s new cybersecurity governance disclosure requirements.
7. Institute Regular Employee Cybersecurity Awareness Training
Regular employee cybersecurity training strengthens compliance with the SEC rules in several ways. It reduces cyber attack risks, ensures everyone understands their security role, aids in faster incident reporting, and shows a proactive approach to the SEC. Although it’s not mandatory under the new SEC cybersecurity rules, security awareness training is a recognized best practice for effective cybersecurity.
CybeReady’s training fosters a strong security culture by making security training engaging, relevant, and ongoing—empowering your financial company’s staff and stakeholders to actively protect the organization.
Turn the SEC Cybersecurity Rules into Strength with CybeReady
With cybercrime booming, the much-needed new SEC rules highlight the push for strong cybersecurity in the financial sector. These rules aren’t just about compliance—they’re essential to protecting your company’s data and reputation while also protecting investors and clients.
The good news? The SEC cybersecurity rules can also help you build a security-aware culture across your entire organization, from new employees to the boardroom. Everyone needs to be on the same page about cybersecurity to stay safe and compliant.
This is where CybeReady can help. Our automated platform makes security awareness training fun and engaging for employees with a comprehensive, up-to-date program that covers phishing simulations, security best practices, and compliance training.
Start building a robust cybersecurity culture today with a free CybeReady demo.
