The U.S. Securities and Exchange Commission (SEC) has introduced new Cybersecurity Disclosure Rules to address the ever-evolving threat landscape and broadened attack vectors that come with mobile and IoT devices, cloud computing, and remote work. These rules align with its primary goals: transparency and protecting investors. The SEC Cybersecurity Disclosure Rules focus on cybersecurity risk management, strategy, governance, and incident disclosure. It took effect on Dec 15, 2023; however, smaller reporting companies must comply by June 15, 2024. C-level IT executives must be aware of these new requirements and take action to align their compliance strategies with these new rules.
Critical Components of SEC's Cybersecurity Disclosure Rule
While the new SEC Cybersecurity Disclosure Rules target U.S.-based publicly traded companies, it also affects companies that handle data for, or supply data to, publicly traded companies and foreign companies that operate within the U.S. These companies must comply with two main components or risk SEC-imposed fines and penalties.
- Disclose material cybersecurity incidents. Companies have four (4) days to disclose material cybersecurity incidents after determining the materiality of said incident. Materiality is based on whether a reasonable investor finds the incident significant in deciding whether to invest. Companies should describe the events of the incident, including its nature, timing, scope, and impact. It is important to note that third-party service providers' incidents are subject to this rule and must be reported based on any available information once they can significantly affect the company.
- Disclose cybersecurity risk management and governance strategy. Companies must disclose their cybersecurity risk management practices, governance policies, and incident response strategies annually. This includes outlining their methods for evaluating, detecting, and handling significant cybersecurity risks, explaining the involvement of both the board and management in overseeing cybersecurity and describing the integration of these practices into the broader risk management framework. Companies must also disclose their management and board's oversight of cybersecurity risks – including their processes and responsible committees. The SEC does not require companies to report whether they have a dedicated CISO, nor does it demand disclosure of the board members' cybersecurity expertise or the frequency of cybersecurity discussions.
Impact on Healthcare
Publicly traded healthcare providers within the U.S. who transmit health information electronically must comply with the Health Insurance Portability and Accountability Act (HIPAA). These providers must comply with HIPAA’s Privacy and Security Rules to protect patient health information while adhering to the Breach Notification Rule. The Breach Notification rule stipulates that these companies have 60 days to notify affected individuals, the media, and the Secretary of Health and Human Services of any material breaches compromising the security or privacy of protected health information. These industries are not exempt from the new SEC cybersecurity disclosure rule and must also adhere to their disclosure of cybersecurity incidents and risk management** strategy. These companies, therefore, face increased scrutiny due to this regulatory complexity, with HIPAA mandating incident notification within 60 days and the SEC requiring it within four days.
Recommendations
Although this new Cybersecurity Disclosure Rule is already in effect, smaller entities have until June to ensure they are up to speed with compliance requirements. Use the following recommendations to ensure your organization is prepared and equipped for the new requirements.
- Review your organization's current risk management and incident disclosure practices. Evaluate your organization's practices to see where gaps exist and determine what may need to change and how they must be changed to adhere to the new disclosure rule. This evaluation would help decision-makers understand the organization's security posture and simplify the transition to the new SEC disclosure requirements.
- Make preparations to adjust your organization’s practices. If not already underway, start planning updates to current risk management and incident disclosure practices now. Organizations and CISOs must begin preparations immediately by implementing the imposed requirements, crafting frameworks for incident assessment, and improving third-party risk management strategies.
- Review third-party risk management practices. It is essential to emphasize third-party risk management in your organization’s cybersecurity practices. The SEC now scrutinizes third-party incidents that must also be reported. Ensuring your organization has sound third-party risk management practices is important to manage and mitigate incidents effectively.
- Focus on continuous improvement of cybersecurity practices. Security leaders should use these updated requirements as an opportunity to make security a continuous process. This involves enhancing security governance, risk management, and incident disclosure practices, focusing on staying vigilant and adaptable to new threats and vulnerabilities.
Bottomline
The new SEC’s Cybersecurity Disclosure Rules challenge business leaders to align their organizations with new requirements. Since it is mandatory for public companies within the U.S., smaller enterprises should see it as an opportunity to strengthen their cybersecurity practices and boost investor and customer trust. Start now to ensure full compliance and treat security as a continuously evolving practice to keep ahead of new threats and vulnerabilities.
References
- Our Goals, U.S. Securities and Exchange Commission, April 6, 2023
- Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Securities and Exchange Commission, 2023
- SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, Securities and Exchange Commission, July 26, 2023
- Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Securities and Exchange Commission, November 14, 2023
- Cybersecurity Disclosure, Erik Gerding Director, Division of Corporation Finance, Security and Exchange Commission, December 14, 2023