This week, The Securities and Exchange Commission’s new cybersecurity disclosure and management rules for public companies took effect.
With the new rules, the SEC is emphasizing the widespread need for more “timely and reliable” cybersecurity information due to the fact that so much economic activity relies on electronic systems. The rules also come as businesses are seeing an increase in the number of security incidents and associated costs, including “business interruption, lost revenue, ransom payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost assets, litigation risks and reputational damage,” the SEC says.
Starting from December 15, companies must include governance and risk management strategy disclosures in annual reports for fiscal years ending on or after that date. Additionally, incident disclosure requirements must be met by all companies by December 18. However, smaller companies have an extended deadline until June 15, 2024, to fulfill the incident disclosure requirements.
Here’s a breakdown of what we can expect from the new rules.
What Companies Have to Disclose
- Material cybersecurity incidents: Companies must promptly disclose significant security incidents, including nature, scope, timing and potential impact via Form 8-K, Item 1.05 within 4 business days.
- Incident disclosure enhancement: Companies must amend initial 8-K filings to include new incident details.
- Foreign private issuers: Form 6-K is required for detailing cyber incidents disclosed abroad to stock exchanges or shareholders.
- Risk management and strategy: Firms must describe cyber threat management, assessment, and identification, highlighting impacts on finances, operations and strategy.
- Governance: Companies must detail the board’s role in cyber risk oversight, management’s risk assessment and mitigation.
How to Prepare Your Organization
There are several steps you can take to make sure your organization is ready to comply with these new rules, according to Mandiant.
- Cybersecurity Strategy: Define a clear governance and response strategy that aligns with best practices, enabling effective decision-making and transparent reporting of cyber risks to executives and stakeholders.
- Risk Management Enhancement: Strengthen your cybersecurity risk management program to quickly assess incidents with potential material impact, ensuring alignment with overall risk programs.
- Identify Critical Assets: Identify and evaluate your organization’s most valuable assets to inform materiality determinations, prioritize high-impact areas and improve response precision.
- Plan Updates: Align critical systems and data with incident response plans, playbooks, and governance documentation to meet SEC reporting requirements.
- Legal Considerations: Establish incident response and legal retainers to ensure operational resilience and compliance with SEC reporting and disclosure mandates.
- Readiness Testing: Conduct exercises to assess readiness, identify gaps and ensure compliance with regulations.
- Stakeholder Mapping: Develop a comprehensive communication plan to maintain consistent messaging during cybersecurity incidents, both internally and externally, avoiding SEC compliance issues.
- External Partners: Identify and engage external partners like legal, insurance, forensics, communications and ransomware negotiators to assist in incident response within your organization’s ecosystem.