Earlier this year, the SEC announced new cybersecurity guidelines and finalized those rules in August after the standard public review period. These rules affect how public companies must report major cyber breaches and when. Additionally, the rules detail how board directors should prepare and manage ongoing security issues. The new rules take effect on December 1, 2023.
SEC Chair Gary Gensler said on the new cybersecurity guidelines, “Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be materiel to investors…I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose materiel cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Directors should prepare the organizations they oversee to implement the new changes. This post will review the updated rules and how to prepare.
What are the new SEC cybersecurity guidelines?
The new rules from the SEC require all public companies to report “materiel” cybersecurity incidents within four days. Materiel incidents significantly impact an organization’s business, finances, or operational capacity. The SEC gave two examples of “materiel cybersecurity incidents”:
- The same bad actor conducts multiple small attacks against the same company over a short time.
- Multiple bad actors exploit the same security weakness.
To be considered materiel, both instances must affect the company’s ability to do business in a significant way. The four-day reporting requirement protects investors’ ability to make informed decisions.
The company that sustained a breach must also report on:
- The scope and impact of the attack
- The type of attack employed
- How the organization is addressing the issue and recovery efforts
- The organization’s cybersecurity policy and protocols
In addition, the new guidelines require details on how BODs oversee cybersecurity risk. Directors’ experience in cybersecurity, training, and policy development initiatives must be detailed.
Also read: A Comprehensive Cyber Insurance Overview
What types of companies need to report
All companies that file with the SEC (i.e., public companies) are affected by the new guidelines, including domestic organizations, foreign private issuers (FPIs), small reporting companies, and emerging growth businesses.
There is a slight exception to the four-day rule. Breaches deemed critical to national security may delay reporting on the incident up to 90 days.
What happens if your organization falls out of compliance?
Businesses that fail to report within the four-day window could face several negative consequences, including:
- SEC enforcement
- Investor litigation
- Reputational damage
How your board should prepare
Directors should begin preparations before the new regulations take effect. Education is the top priority. Educate all board members on cybersecurity issues and the SEC guidelines. It may be wise to bring in outside experts to train the board.
Further action steps include:
- Assess reporting of all cyber procedures and protocols.
- Appoint specific management members to oversee compliance reporting.
- Closely examine the board’s experience on cybersecurity. Identify and address any knowledge gaps.
- Evaluate all existing cybersecurity protocols, data breach response plans, and recovery plans. Ensure that these systems can be reported on in the case of a materiel breach. Consider what steps the board can advise management to take regarding strengthening cybersecurity and boosting cyber hygiene initiatives, such as implementing strong password best practices, regular patch management, and vulnerability testing.
- Review all third-party vendors and software supply chain partners. Identify potential weak points.
It’s essential to remember that the role of BODs is not operational; instead, it is to advise and oversee. When dealing with compliance issues, there is the temptation to overstep this boundary. The goal is to communicate clearly with management, not to replace them.
Also read: How to Defend Against Third-Party Cyber Risk
Questions to take to management
Communication is critical to improving an organization’s security posture and meeting the new SEC cybersecurity guidelines effectively. Board members can ask management questions like the following to foster ongoing security conversations:
- What does IT leadership consider to be the most prominent security risks currently?
- What are the most significant vulnerabilities, and how are they being addressed?
- Of those vulnerabilities and risks, which scenario is most likely to occur?
- What risks should be prioritized?
Additionally, the board can ask the cybersecurity team to run through post-breach scenarios. What are the immediate actions the team would take? Who are the outside consultants they might rely on? How will they work with the communications team to create messaging on the breach to affected customers?
Ensuring insurance coverage
Of the outside professionals your board might consider for help with compliance, an insurance agent might not spring to mind. However, the cyber liability team at McGowanPRO consistently guides our clients through the ever-changing cybersecurity landscape. Our Cyber Liability / Data Breach Response Insurance policies are tailored to your organizations unique needs.
In the current threat environment, it’s not a matter of if your organization will be breached but when. The key is to have an effective, SEC-compliant plan to mitigate damage and a robust cyber liability policy to cover the worst-case scenarios. Additionally, our experienced agents can make recommendations on getting and staying compliant.
Questions about the new SEC cybersecurity guidelines? Contact us to schedule a chat about compliance and your current cyber liability plan.