A significant change is on the horizon for public companies concerning their cybersecurity practices. The Securities and Exchange Commission (SEC) has recently approved a rule that mandates these companies to be more transparent about their cybersecurity stance and any breaches they experience.
The Essence of the Final Rule
The SEC’s Final Rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies was approved on July 26, 2023. This rule compels public companies to:
- Disclose their cybersecurity posture annually.
- Report cyber incidents within four days after determining the incident’s significance.
This move aims to increase transparency in how public companies handle cybersecurity threats and their readiness to address them.
SEC Chair Gary Gensler commented on the importance of such disclosures. He drew parallels between the significance of a company losing physical assets and the implications of a cybersecurity breach. The new rules aim to ensure that investors are well-informed about the cybersecurity risks associated with their investments.
Key Disclosure Requirements
The Final Rule introduces two primary requirements:
- Annual Cybersecurity Posture Disclosure: This is akin to a health check, giving investors insight into whether a company is maintaining good cybersecurity practices.
- Incident Reporting: If a company determines an incident to be “material,” they must disclose it within four business days. The definition of “material” is based on whether a reasonable shareholder would deem the information important.
To clarify, if a company identifies a cyber incident on a specific date, it doesn’t automatically have to disclose it four days later. The four-day countdown begins once the company determines the incident’s materiality.
However, there are exceptions. If the U.S. Attorney General believes that immediate disclosure could jeopardize national security or public safety, the disclosure can be delayed.
Determining Materiality
The focus on material incidents is a welcome aspect of the Final Rule. The hope is that it will lead to a decrease in incidents rather than just adding another layer of compliance. However, determining the materiality of an incident can be challenging. The rule states that this determination should be made “without unreasonable delay.” Even if an investigation is ongoing, a company might have enough information to decide if the incident is material.
The potential for public disclosure emphasizes the importance of breach detection and the processes supporting it. Security tools should be equipped to detect unusual activity around sensitive data and understand the context of user access and potential attack paths.
In Conclusion
The SEC’s new rule is seen as a positive step towards emphasizing the strategic importance of cybersecurity. With board-level attention now firmly on cybersecurity, security leaders will play a crucial role in ensuring their companies’ compliance with the Final Rule. The overarching message is clear: cybersecurity is no longer just an IT concern; it’s a business imperative.
