In a significant move aimed at enhancing transparency and accountability in the business world, the U.S. Securities and Exchange Commission (SEC) has recently adopted new rules pertaining to cybersecurity risk management, incident disclosure, and ransomware payments for public companies and foreign private investors. This pivotal development comes as a response to the evolving threat landscape of cyberattacks, emphasizing the importance of timely reporting and robust cybersecurity strategies.
Why the New Rules?
SEC Chair Gary Gensler acknowledged that public companies have already reported material cyber incidents under the current rules. However, the existing reporting framework has yielded inconsistent, non-comparable, and often insufficient disclosure. The primary objective of the new rules is to create a more consistent, comparable, and decision-useful system of disclosure that benefits both companies and investors.
New SEC Rules Highlights: 4 Key Changes Every Company Must Know
- Material cybersecurity incidents must be reported within 4 business days.
- Ransomware payments must be reported within 24 hours.
- Impacted organizations must disclose reliance on third-party cybersecurity advisors.
- Executive management and board-level responsibility must also be disclosed.
Compliance Summary and Corporate Impact
Incident Disclosure: Faster and More Focused
The most notable change introduced by the SEC's new rules is the requirement for registrants to disclose cybersecurity incidents within four business days of determining that such incidents are material. The disclosure must include information about the nature, scope, timing, and material impact of the incident on the registrant.
Compared to the initial proposal in March 2022, the final rules are more focused on the materiality of the incident itself vs. the initial emphasis on detailed information reporting. This change aims to balance the needs of investors with concerns about exposing too much information to threat actors.
Materiality, in this context, extends beyond financial impact alone. Companies must also consider qualitative factors like reputational damage or regulatory repercussions when determining whether an incident is material.
Moreover, registrants must now include relevant third-party or supplier incidents in their reports, which expands the scope of disclosure to encompass incidents occurring in a company's supply chain or ecosystem.
Ransomware Payments: Rapid Reporting Required
The new rules mandate that ransomware payments must be reported within 24 hours. This swift reporting requirement reflects the urgency surrounding ransomware attacks, which have become increasingly prevalent and damaging in recent years. Rapid reporting not only provides investors with timely information but also aids law enforcement efforts to track and combat cybercriminals.
In cases where immediate disclosure would pose a substantial risk to national security or public safety, the U.S. Attorney General can authorize a 30-day delay in reporting. This delay can be extended for an additional 30 days if the Attorney General deems it necessary. In ""extraordinary circumstances,"" disclosure may be delayed for a final period of up to 60 days, subject to the Attorney General's determination.
Third-Party Involvement and Capacity Disclosure
The new rules also require registrants to disclose whether they engage assessors, consultants, auditors, or other third parties in connection with their cybersecurity. This information is essential for investors to understand a registrant's reliance on third-party cybersecurity expertise.
Additionally, companies are expected to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. This includes discussing how these processes are integrated into their overall risk management systems, whether third parties are involved, and whether there are specific oversight mechanisms for third-party service providers.
Management's Role and Expertise
The SEC rules also emphasize the board of directors' oversight of cybersecurity risks and management's role and expertise in assessing and managing these risks. Companies must disclose which management positions or committees are responsible for these assessments, the expertise of individuals involved, and the processes for monitoring and reporting cybersecurity incidents to the board.
Harmonizing with Other Reporting Requirements
Recognizing that several federal agencies and states have established cybersecurity incident reporting requirements, the SEC has committed to addressing potential conflicts with these regulations through future rulemaking or actions. The agency also participates in interagency working groups on cybersecurity regulatory implementation to ensure alignment with other regulatory bodies.
Effective Date of the New Rules
The new SEC reporting rules are set to become effective 30 days after publication in the Federal Register. Foreign private issuers must comply with the rules for annual reports ending on or after December 15, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing Form 8-K disclosure.
Investor and Industry Response
Initial reactions from investors and cybersecurity vendors have generally been positive. The rules have been seen as a positive step toward providing more transparency and consistency in cybersecurity disclosures. Moody's Investors Service noted that the rules are credit-positive for public companies, especially those with elevated cyber risk, as they facilitate comparisons of how different companies address these challenges.
Conclusion
The SEC's adoption of new rules regarding cybersecurity risk management, incident disclosure, and ransomware payments marks a significant milestone in enhancing cybersecurity transparency and accountability for public companies and foreign private investors. By streamlining incident reporting, emphasizing materiality, and requiring rapid disclosure of ransomware payments, these rules seek to provide investors with timely, comparable, and decision-useful information while promoting robust cybersecurity practices.
As the threat landscape evolves, these rules will play a crucial role in helping companies and investors navigate the complex world of cybersecurity risks. It is imperative for businesses to proactively assess their cybersecurity processes, engage with third-party experts, and ensure that their management and governance structures are well-prepared to address these emerging challenges. In doing so, they can comply with the new SEC rules and bolster their overall cybersecurity resiliency in an increasingly digital world.
Contact the VikingCloud team for information on the SEC ruling and how to ensure your organization remains in compliance.