In December 2023, new SEC rules regarding cybersecurity risk management, governance, and incident disclosure went into effect, requiring publicly traded companies to disclose any material cybersecurity incidents within four business days. These companies are also required to annually submit Form 10-K, disclosing their processes for assessing and managing cybersecurity threats. The goal of these rules is to promote transparency in cyber risk management and hold companies accountable for their cybersecurity practices.
The SEC’s focus is on whether companies are taking steps to prevent or detect cyber incidents and minimize their negative impact, rather than requiring specific details that could be beneficial to hackers. The new reporting requirements aim to encourage companies to assess cyber risks, learn from past incidents, and have expertise in cybersecurity management at the executive and board level. Companies that fail to address these issues may face scrutiny from investors, business partners, and customers.
The ability to compare cybersecurity practices through publicly available 10-K information is expected to raise the bar for due diligence in corporate cybersecurity. This will lead to increased expectations for companies to have robust cybersecurity measures in place, regardless of their size or industry. Collaborating and practicing incident response with various stakeholders is crucial for effectively managing cybersecurity incidents and reducing their impact on the business.
Companies are encouraged to create and follow incident response playbooks, which should outline responses to both worst-case scenarios and more common cyber incidents. Collaboration with public and private sector partners, such as the FBI, CISA, and specialized legal counsel, is essential during a cyber incident. Key suppliers, business partners, and customers should also be considered as stakeholders in developing an effective response plan.
The new SEC reporting requirements provide both a requirement and an opportunity for companies to enhance their cybersecurity posture. By promoting transparency in cybersecurity practices, these rules offer investors more insight into a company’s cybersecurity stance and potential risks. Companies that take proactive steps to strengthen their cybersecurity measures can differentiate themselves in the marketplace and build trust with stakeholders.
Overall, the new SEC rules highlight the importance of cybersecurity risk management and incident response in today’s business landscape. Companies are encouraged to prioritize cybersecurity, collaborate with stakeholders, and continuously improve their incident response processes to effectively manage cyber risks and protect their business operations.