Navigating the New SEC Rules on Cybersecurity Disclosure
In an era marked by increasing cyber threats, safeguarding sensitive information has become a paramount concern for businesses worldwide. Recognizing the critical importance of cybersecurity, the U.S. Securities and Exchange Commission (SEC) has recently implemented new rules regarding cybersecurity disclosure for public companies. All public companies will be required to comply with the new annual disclosure requirements for the fiscal year ending on or after December 15, 2023. These regulations are a proactive step toward enhancing transparency, and accountability when combatting evolving cyber threats.
The SEC voted 3-2 to adopt a final rule applicable to public companies imposing (1) new disclosure requirements around cybersecurity risk management and governance and (2) obligations to disclose material cybersecurity incidents in a timely manner. With the proliferation of cyber-attacks targeting businesses, the SEC plays a pivotal role in legislating to protect business interests.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Key Highlights of the New Rules:
- Mandatory Disclosure of Cyber Incidents: The new rules necessitate public companies to disclose material information pertaining to cyber incidents, providing investors with timely and accurate information about potential risks and impacts on the business. An incident is deemed material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision.
- Disclosure of Cybersecurity Policies: Public companies are now required to divulge their cybersecurity policies and procedures. This ensures that investors have insight into the strategies in place to mitigate cyber risks.
- Board Oversight and Expertise: The rules underscore the importance of board oversight in cybersecurity matters. Public companies must disclose any cybersecurity expertise present on their boards, or detail how the board oversees cybersecurity risks. This means that having the right cybersecurity talent or partners is imperative to help manage cybersecurity processes.
- Timely Reporting: The rules emphasize prompt reporting of cyber incidents, ensuring that material information is disseminated in a timely manner, which is classified as four business days after discovery. Consistent with the SEC’s rule proposal, the final rule uses the date of the materiality determination as the trigger for when the four business day time period begins to run, rather than the date of discovery of the incident—an important distinction to be aware of.
- Enhanced Risk Factors Disclosure: Public companies must enhance their disclosure of risk factors related to cybersecurity, highlighting potential vulnerabilities and impacts on the business.
- Continuous Assessment: The rules emphasize the need for public companies to continuously evaluate their cybersecurity policies and procedures in light of evolving threats. As the threat landscape evolves, so must cybersecurity strategies and tactics.
Conclusion:
The SEC’s recent adoption of new rules on cybersecurity disclosure reflects a proactive approach towards strengthening the resilience of public companies against cyber threats. These rules equip investors with the information they need to make informed decisions. Public companies, in turn, are incentivized to fortify their cybersecurity policies and procedures, ultimately contributing to a more secure corporate landscape.
At Zyston, we recognize the critical importance of cybersecurity in today’s digital landscape. Our cutting-edge solutions and expertise are aligned with the SEC’s mission to enhance cybersecurity measures within public companies. Our AI-driven Security Program Maturity software, CyberCAST, provides a strategic and tactical roadmap to strengthen security frameworks over time, helping your business remain compliant. To learn more about how Zyston can help fortify your cybersecurity defenses, visit www.zyston.com
CyberCast Security Reporting
Security reporting that speaks business
Zyston CyberCAST brings the world of cybersecurity metrics up out of the weeds and into the hands of executive decision makers so nothing gets lost in translation. With CyberCAST, your organization gets clear visibility on security risks and also how your organization scores against your industry peers.