The U.S. Securities and Exchange Commission (SEC) recently implemented new rules, effective December 15, 2023, aimed at enhancing the transparency and reporting of cybersecurity risks for public companies. This significant regulatory change reflects the growing importance of cybersecurity in today’s interconnected world and has implications for both public and private entities.
Implications for Private and Smaller Companies
While these rules primarily target publicly listed companies, their implications are not limited to them. The interconnected nature of today’s business world means that even smaller and private companies are part of a complex supply chain that can be impacted by a cybersecurity breach in any part of this chain. This highlights the importance of all companies, whether public or private, familiarizing themselves with these regulations.
Mandatory Incident Reporting
One of the most significant aspects of these rules is the requirement for public companies to report material cybersecurity incidents within four business days of identifying them. This tight reporting window poses a challenge, as many cybersecurity incidents, even those involving the theft of personally identifiable information (PII), have historically taken longer to be disclosed. While the aim is to ensure prompt disclosure, it may pressure companies to allocate more resources to breach identification and containment.
Defining Materiality
Determining what constitutes a “material” breach remains a point of uncertainty. The SEC has not provided clear criteria, and this lack of clarity may lead to legal challenges and increased defense costs for companies. The determination of materiality could be subject to interpretation by the courts, potentially making it difficult for companies to navigate the reporting process.
Governance and Risk Management Disclosure
In addition to incident reporting, companies are now required to disclose their cybersecurity risk management and governance practices.
This includes details about their processes for assessing, identifying, and managing material cybersecurity risks, as well as the likely effects of a cyber incident on their organization. Companies must also provide insights into their board of directors’ oversight of cybersecurity threats and the role and expertise of management in managing these risks. These disclosures will be part of a company’s annual report on Form 10-K.
Focus on Cyber Resilience
To prepare for compliance and reduce exposure to regulatory action and shareholder suits, companies should consider strengthening their cybersecurity governance and risk management practices. They can establish a special committee within the board dedicated to cybersecurity risk mitigation, breach identification, and reporting. Engaging outside counsel to set up the necessary framework for compliance is also advisable. Ultimately, prevention is the best defense against cyber incidents and potential litigation, so a proactive mindset toward cybersecurity threats is vital.
Potential for Legal Challenges
The new reporting rules may result in legal challenges, especially regarding the determination of materiality. Companies may need to navigate complex legal processes, including sanctions checks, compliance, and interactions with regulators and law enforcement, all while determining the materiality of the cyber incident within the four-day reporting window.
In conclusion, the SEC’s new cybersecurity reporting rules have brought significant changes to the way public companies must handle and report cybersecurity incidents and risks. These rules aim to enhance transparency, but they also introduce potential legal and compliance challenges. To navigate these challenges effectively, companies, whether public or private, must invest in robust cybersecurity governance, risk management, and proactive prevention measures. The full impact of these rules on the frequency and severity of cybersecurity-related litigation is yet to be seen, but they mark a significant step forward in addressing the growing importance of cybersecurity in today’s business landscape
Russell Uhrig helps business owners navigate the insurance industry, and the complexities of an insurance policy. Working closely with these business owners, he can provide the coverages that best fit the needs of his clients in their industry. Through the process of assisting businesses, Russell can empower business owners to have a deeper understanding of their policies through analysis, provide customer service, and create a service-oriented program.
