Adapting To SEC Cybersecurity Disclosure Requirements

The cybersecurity compliance landscape for public companies and foreign private issuers in the United States significantly evolved in 2023 with the introduction of new regulations by the SEC. Announced by SEC Chair Gary Gensler on July 26, 2023, these regulations mandate prompt disclosure of material cybersecurity incidents within four business days, except in circumstances where a delay is justifiable for national security or public safety reasons. Additionally, regulations require detailed annual reports on an entities’ cybersecurity risk management, strategy, and governance practices. Taking effect 30 days after the Federal Register publication in July, these rules aim to increase transparency for investors, companies, and the market by standardizing cybersecurity disclosures. They also highlight the SEC’s desire to enhance cybersecurity transparency.

Historical Context and Challenges

The regulations aim to address the underreporting of cyberattacks, a persistent issue that has limited both the government and industry’s ability to effectively respond to cyber threats. Despite encountering resistance, including from the U.S. Chamber of Commerce, Congress, and some SEC members, the rules necessitate thorough disclosure of the consequences of cyber breaches. This move towards transparency is designed to highlight the importance of cybersecurity protocols in response to the increasing frequency of cyberattacks disrupting various industries.

A Four-Day Reporting Mandate Amid Legislative Opposition

The requirement for public entities to report material cybersecurity incidents within four business days has sparked controversy and opposition from Congress. Recent efforts, led by figures such as Rep. Andrew Garbarino and Sen. Thom Tillis, seek to overturn the rule, citing conflicts with existing legislation like CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act of 2022) and concerns related to the over burdening cybersecurity professionals. This opposition underscores the tension between investor protection goals and the operational security of companies, balancing transparency with confidentiality.

Navigating the Complexities of Incident Materiality

Determining the materiality of a cybersecurity incident involves legal, preparedness, and technical considerations, focusing on the undeniable forensic details gathered post-event. Organizations face the challenge of distinguishing crucial information from irrelevant data during a crisis, emphasizing the importance of clear communication with shareholders about an incident’s impact.

Dual Challenges of Disclosure and Threat Management

The new disclosure requirements introduce a dual challenge for cybersecurity professionals: compliance and threat management, with the risk of increased targeting post-disclosure. The SEC offers some relief through delayed reporting under select conditions, emphasizing the critical need for cybersecurity preparedness among public companies.

The Crucial Roles of Cybersecurity and Compliance

The SEC’s new disclosure mandates highlight the critical importance for companies to either cultivate in-house expertise or form alliances with firms that specialize in both cybersecurity and compliance. Relying on compliance measures without implementing strong security protocols poses significant risks, just as emphasizing security without a framework for compliance may fail to provide clear accountability to investors and regulatory bodies. Companies are encouraged to build or seek out partnerships with entities proficient in navigating the complexities of both fields, thereby ensuring adherence to regulations and bolstering their defenses against cyber threats. This comprehensive approach is not only necessary to navigate the new regulations, but essential for protecting shareholder interests and maintaining the integrity of public confidence.

This article was originally published in Forbes, please follow me on LinkedIn.