New SEC Cybersecurity Reporting Rules Take Effect

In July 2023 the US Security and Exchange Commission (SEC) issued new rules on “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.” Most of the new rules took effect before the end of 2023, so businesses that are required to submit filings to the SEC need to take steps to ensure they are in compliance with those rules.

In the press release announcing the new cybersecurity rules, SEC Chairman Gary Gensler said,

Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.

According to analyst Frederick Havemeyer, the new SEC rules align with current cyber insurance trends that reward more transparent risk reporting with lower premiums on policies or better coverage. And both are increasing demand for solutions that enable observability, security analytics and real-time risk reporting.

What’s in the New SEC Rules?

The new rules cover both US public companies and foreign private issuers (FPIs). The rules call for two things:

1. Disclosure of material cybersecurity incidents within four business days of determining that a breach is material. The disclosure is made on Form 8-K, which has a new item 1.05 for this purpose. FPIs use Form 6-K.
2. Annual disclosure of cybersecurity risk management, strategy, and governance. This disclosure is done on the company’s annual report, Form 10-K for domestic public companies, Form 20-F for foreign entities.

One big question is what counts as “material.” The rules state that materiality is the same as in other securities contexts. Information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.”

Whether or not something is material is heavily dependent on the context of the company in question. Something that’s material for a company with $20 million in sales might not be material for a company with $2 billion in sales. The key factor is that the evaluation is to be done from the perspective of a “reasonable investor.”

Why New Rules and Why Now?

The Introduction and Background section of the new rules explains why the SEC felt new rules were needed:

• Increasing reliance on electronic systems coupled with a rise in cybersecurity incidents make transparency in cybersecurity more important. The SEC sees the COVID-triggered increase in remote work, increasing reliance on third party services for IT, and easier monetization of cyberattacks as factors in the increase in incidents.
• Recent developments in artificial intelligence exacerbate the threats by making it easier to generate malware used in attacks, even by attackers not versed in programming.
• Current disclosure practices are inconsistent, both in terms of what is reported and in how the reporting is done. Evidence suggests companies are underreporting cybersecurity incidents.

Complying with the New SEC Cybersecurity Reporting Rules

The best way to prevent the new SEC incident reporting requirement from adversely impacting your stock valuation is to adopt strong cyber protections that safeguard your organization from cyberattacks that you’d need to report. The Ericom Cloud Security Platform provides a unified, Zero Trust cloud-based solution that makes it simple to upgrade to a state-of-the-art approach to cybersecurity. Its clientless Zero Trust Network Access (ZTNA) solution secures company applications from the growing risks posed by unmanaged devices used by work-from-home employees and 3^rd party contractors. Remote Web Isolation safeguards endpoints against web-delivered zero-day exploits, phishing, credential theft and weaponized downloads in ways that detection-based solutions simply cannot.

The new reporting requirements provide investors with greater transparency regarding cybersecurity risk management. Investors and potential investors will feel comfortable knowing your company’s digital assets are protected by the only security approach that provides Zero Trust protection against internet-delivered threats. Contact us to learn more about how easy it is to upgrade to Zero Trust isolation-based cybersecurity.

---

Share this on:

---

About Tova Osofsky

Tova Osofsky, Ericom Director of Content Marketing, has extensive experience in marketing strategy, content marketing and product marketing for technology companies in areas including cybersecurity, cloud computing, fintech, compliance solutions and telecom, as well as for consumer product companies. She previously held marketing positions at Clicktale, GreenRoad and Kraft Foods, and served as an independent consultant to tens of technology startups.