Cybersecurity Processes of Public Companies Are in SEC Crosshairs

On July 26, 2023, the US Securities and Exchange Commission (SEC) adopted new rules imposing a four-day timeline for reporting cybersecurity incidents and requiring public companies to periodically disclose their cybersecurity risk management processes and governance. The SEC actions aim to protect investors from the negative economic impact of increasing cyberattacks.  

IBM’s annual Cost of Data Breach Report finds that businesses spend $4.5 million every time they get hit by a data breach. The SEC’s new rules put the onus on companies to provide investors with information about how they manage cyber risks. 

According to the SEC, periodic disclosures are due beginning with annual reports for fiscal years ending on or after December 15, 2023. Incident disclosures are due 90 days after the date the new rules are published in the Federal Register or December 18, 2023, whichever is later. “Smaller companies” as defined by the SEC have an additional 180 days to report a cyber incident.  

To prepare for the new SEC rules, companies should ask themselves: 

• What is our process for reporting cybersecurity incidents? Leaders and board members should understand your internal escalation and external reporting processes.  
• How do we determine the materiality of a breach or attack? In addition to financial impact, you need to consider the effects on reputation, customer relationships, vendor relationships and regulatory compliance.  
• Are our processes for determining materiality documented? Be sure you have detailed documentation to support your rationale for determining if an incident is material or not material.  
• What is the right level of information to disclose? Consider how you will comply with the new requirements without revealing confidential information about your cybersecurity procedures and program.  
• Can we meet the four-day reporting period? Four days is a short timeframe for companies to investigate if an incident is material. Fortunately, the SEC allows companies to file amendments to their initial disclosure as new information becomes available.  
• When signing and certifying information about your company’s cyber risk management program, are we confident in its integrity and completeness? Accurate disclosure requires coordination among security, finance, risk and legal teams and key business leaders. 

The most effective way of dealing with the SEC’s new rule is to prevent cybersecurity breaches from occurring in the first place. Traliant’s Data Privacy and Information Security training raises workforce awareness on how to safeguard customer and company information.