As cyber threats continue escalating, regulatory bodies respond with new directives to ensure better transparency and security practices. Yesterday, the U.S. Securities and Exchange Commission (SEC) introduced new rules requiring increased disclosure from public companies and foreign private issuers regarding cybersecurity incidents and risk management strategies. But what exactly do these changes mean, and how can companies navigate this updated regulatory terrain? In this post, we will explore the nuances of the new rules and suggest strategies for compliance.
Understanding the new SEC rules: a brief overview
The new SEC rules focus on two key areas of cybersecurity:
- Disclosure of Material Cybersecurity Incidents: Companies are now required to disclose any cybersecurity incidents that are deemed material, that is, incidents that could have a significant impact on the company’s operations or investor decisions. They must provide details about the incident’s nature, scope, and timing, as well as its impact or likely impact on the company. The disclosure will be due four business days after determining that a cybersecurity incident is material.
- Annual Cybersecurity Risk Management Disclosure: In addition to incident reporting, The new rules require companies to provide details about how their board of directors supervises the handling of cybersecurity risks. They must also explain the management team’s responsibility and expertise in identifying and managing significant cybersecurity threats.
These disclosures aim to give investors a more diligent, consistent, and comparable understanding of a company’s cyber risks, improving overall market transparency.
In the following sections, we’ll delve deeper into these requirements, their implications, and how your company can ensure compliance.
How do new SEC rules impact public companies?
- The recently implemented SEC rules are highly significant for public companies for several reasons:
- Enhanced Investor Trust: By mandating the disclosure of cybersecurity incidents and risk management strategies, the SEC drives companies to be more transparent. This transparency can foster increased trust from investors, who gain a clearer picture of how a company is handling cybersecurity threats and managing associated risks.
- Regulatory Compliance: Non-compliance with these new regulations can result in penalties from the SEC. Hence, it is in every public company’s best interest to fully understand and adhere to these new rules to avoid potential sanctions and reputational damage.
- Risk Management: These new regulations can act as a catalyst for companies to review and improve their cybersecurity policies and procedures. The requirement to publicly disclose their cybersecurity risk management strategies could motivate companies to implement stronger, more robust measures.
- Market Advantage: Companies that effectively manage and communicate their cybersecurity risks could potentially gain a competitive edge. Effective risk management and transparency can attract investors, who may view such companies as more reliable and secure investments.
Extending the scope: how the new SEC rules impact private companies
While the new SEC rules primarily target publicly-traded companies and foreign private issuers, their ripple effects are likely to be felt across the business ecosystem, including by private companies. Here’s how:
- Indirect Impact through Client Relationships: While private companies aren’t directly bound by these SEC regulations, they could find themselves indirectly affected, particularly if they provide services to public companies. If a cybersecurity incident in a private company has repercussions for a public company client, the public company may be required to disclose this under the new SEC rules. This could potentially impact the business relationship between the two companies and the reputation of the private company.
- Increased Scrutiny: In response to the new rules, public companies are likely to heighten their scrutiny of the cybersecurity practices of their vendors and service providers, including private companies. To maintain or foster relationships with public companies, private companies might need to demonstrate strong cybersecurity practices and a commitment to transparency.
- Voluntary Compliance: Private companies may find it beneficial to voluntarily align with the spirit of the SEC’s rules, particularly if they intend to go public in the future or if their investors demand such transparency. By following best practices in cybersecurity disclosure, private companies can better position themselves for future growth and partnerships.
Bottom line: While the SEC’s rules are not directly applicable to private companies, the impact of these regulations can still touch various facets of their operations. It’s in the interest of private companies to stay informed and potentially even align with these new standards as a matter of best practice.
Closer look at the new SEC rules
A critical component of understanding and complying with the new SEC regulations involves disclosing material cybersecurity incidents. But what exactly does “material” mean in this context? Let’s dive deeper.
The requirement to disclose material cybersecurity incidents
The new SEC rules mandate that companies promptly disclose any cybersecurity incident they deem “material.” The disclosure must include the nature, scope, and timing of the incident and its impact or likely impact on the company.
Understanding a “Material” Cybersecurity Incident: The term “material” in the context of these new rules refers to a cybersecurity incident that could significantly affect a company’s operations or could influence an investor’s decision about the company. The disclosure might include, for example, a substantial data breach, a major ransomware attack that disrupts operations, or an incident that could lead to significant financial costs or reputational damage.
Note that the definition of “material” can vary depending on a company’s specific circumstances, including its business nature and risk profile. Therefore, companies must establish clear criteria and processes for determining when a cybersecurity incident is “material” and warrants disclosure.
Annual disclosure of cybersecurity risk management, strategy, and governance
These annual disclosures are intended to give investors a comprehensive understanding of how a company is prepared to handle cybersecurity threats, the potential impacts of such threats, and how previous incidents have shaped their current strategies and future risk management plans.
- Risk Management and Strategy: Outline processes for assessing, identifying, and managing risks arising from cybersecurity threats. This includes detailing their cybersecurity strategies, tactics, and any notable initiatives they are undertaking to protect against cyber threats.
- Governance: Share information about the role of their board of directors and management in overseeing and managing cybersecurity risks. This includes providing insights into how the board monitors the company’s cybersecurity risk and how the management is equipped to handle these risks.
- Effect of Risks and Previous Incidents: Disclose the material effects, or the reasonably likely material effects, of risks from cybersecurity threats and past cybersecurity incidents. This includes discussing how these risks and incidents may impact their business, financial condition, or operations.
- Comparable Disclosures for Foreign Private Issuers: Similar to U.S. public companies, foreign private issuers must also disclose their cybersecurity risk management and governance practices.
Timeline and compliance for the new SEC rules
Getting to grips with the timeline for compliance with the new SEC rules is vital for businesses to avoid potential penalties and to ensure a smooth transition. Let’s break down the timeline:
- Effective Date: The new SEC rules will take effect 30 days after publication in the Federal Register.
- Form 10-K and Form 20-F Disclosures: The requirement to disclose cybersecurity risk management, strategy, and governance in the annual reports (Form 10-K for U.S. registrants and Form 20-F for foreign private issuers) will begin with fiscal years ending on or after December 15, 2023.
- Form 8-K and Form 6-K Disclosures: The requirement to disclose material cybersecurity incidents (Form 8-K for U.S. registrants and Form 6-K for foreign private issuers) will be due starting the later of 90 days after the date of publication in the Federal Register or December 18, 2023.
- Additional Time for Smaller Reporting Companies: Smaller reporting companies will have an extra 180 days before they need to start providing Form 8-K disclosure.
- Inline XBRL Tagging Requirement: All companies must begin tagging the disclosures required under the final rules in Inline XBRL format one year after they start complying with the related disclosure requirement.
Companies should mark these dates on their calendars and start preparing now to ensure they are ready to comply with the new rules when they take effect. This may involve reviewing and updating cybersecurity policies and procedures, establishing or refining processes for determining when a cybersecurity incident is “material”, and preparing for the new disclosure requirements.
How can Zilla Security help?
Prevention and remediation of “material” cybersecurity incidents
In this new regulatory landscape, companies need robust cybersecurity measures to prevent, detect, and swiftly address “material” cybersecurity incidents. This is where Zilla Security steps in:
- Detection of High-risk Areas: Zilla identifies high-risk areas across your organization, including security configurations, third-party access, orphan accounts, MFA, unused access, terminations, service accounts, and governance. With a focus on these high-risk areas, you can reduce the likelihood of a “material” cybersecurity incident.
- Comprehensive Risk Mitigation: Zilla Security mitigates identity and access threats effectively through automated policies. By providing full visibility into your access and governance configurations and automating remediation, Zilla effectively surfaces and eliminates access issues making your security strategies highly proactive.
- Adherence to Cybersecurity Best Practices: Zilla’s policies adhere to CIS AWS Foundations Benchmark controls, AWS Foundational Security Best Practices, and PCI DSS controls for S3 resources, ensuring that your company follows cybersecurity best practices. Many of these best practices are available out of the box in the form of policies that companies can deploy and use on day 1.
- Swift Remediation: When issues do arise, Zilla enables timely remediation, significantly reducing the potential impact and keeping the situation from escalating to a “material” incident that would necessitate disclosure.
Annual disclosure of cybersecurity risk management, strategy, and governance structures
In addition to helping manage cybersecurity threats, Zilla Security can also assist your company in preparing for the annual cybersecurity disclosures required by the new SEC rules. Here’s how:
- Documentation of Risk Management Processes: Zilla provides complete and accurate reports to prove your risk management processes. These reports can serve as a foundation for your disclosures about how you assess, identify, and manage cybersecurity risks.
- Strategies for Addressing Cybersecurity Threats: Zilla helps you define the areas of identity security and governance that are important for your company. You can then create digital policies for each of them and enforce them consistently. Digitalizing your strategies makes it easier to describe them in your annual disclosures and gives investors a clear picture of your proactive approach to cybersecurity.
- Governance Structure: Zilla can help provide clarity around your governance structure. By detailing who in the organization has access to what information and who is responsible for making decisions about security settings, Zilla helps always have a complete and up-to-date picture of your company’s cybersecurity governance.
- Impact of Risks and Past Incidents: With its tracking and reporting capabilities, Zilla can assist in measuring and documenting the effects of cybersecurity risks and past incidents. This can be invaluable when preparing your annual report and showing how your company learns from past incidents and adjusts its strategies accordingly.
- Support for Compliance: Zilla ensures the accuracy and completeness of the compliance paper trail to provide a solid basis for your annual disclosure of your cybersecurity risk management, strategy, and governance
- Meeting the Deadlines: With the aggressive timelines for the new rules, Zilla can digitalize your audit preparation in just a few days.
Take action: prepare your company for the new SEC rules
Navigating the complexities of the new SEC rules can seem daunting. The good news is that you don’t have to do it alone. Zilla Security is ready to assist, offering a comprehensive solution that not only helps protect your company from cybersecurity threats but also supports you in meeting the SEC’s new disclosure requirements.
To learn more about how Zilla Security can help your company prepare for these new regulations, or if you have any questions about the new SEC rules, don’t hesitate to contact us. Our team of experts is here to guide you through every step of your cybersecurity journey.