How to make sense of the new SEC cyber risk disclosure rules

SEC’s new cybersecurity risk management, strategy, governance, and incident disclosure rules, which require increased transparency around cybersecurity incidents, have been in effect since December 18, 2023. For businesses that already harbor concerns over their cybersecurity protections, visibility, and incident response preparedness, meeting the SEC’s new incident reporting rules can be a serious challenge. Crucially, these rules impact private enterprises as well as publicly traded corporations, calling for organizations of all shapes and sizes to examine and potentially revise their practices.

Let’s take a deeper look at the SEC’s new rules, their implications, and the steps businesses can take to streamline reporting and successfully adapt to this change.

The new rules

Under the SEC’s new cybersecurity rules, public companies must report any material incident (defined as an incident that a reasonable investor would likely consider important) within four business days of becoming aware of it. Companies must also now file a report if a series of previously undisclosed incidents share a common factor that points to a material cybersecurity issue, such as incidents with a common attack source or mechanism.

Public companies must now disclose incidents on SEC Form 8-K. This is in addition to their annual Form 10-K reporting of information material to their cybersecurity risk, management, strategy, and governance practices. While the new incident reporting rules went into effect on December 18, 2023, smaller reporting companies have an additional 180 days before they must start disclosing incidents.

Private companies must understand these rules as well

The SEC is focused on establishing greater transparency and consistency in cybersecurity incident reporting practices. This includes making sure that private companies within the supply chains of public organizations also understand these rules and attune their cybersecurity practices accordingly.

While public companies will be directly responsible for incident disclosures, the SEC has demonstrated its willingness to hold private companies in their supply chains accountable. In a 2023 lawsuit involving a cyberattack on private law firm Covington & Burling, the SEC demanded the names of impacted clients, resulting in most of those clients being named in the lawsuit’s resolution. In another example, the SEC charged privately held Monolith Resources for violating whistleblower protection rules.

The SEC can and will enforce its cybersecurity rules on violators from both the public and private sectors—meaning that private companies in public company supply chains must prepare for transparent and timely incident reporting.

Adapting to the new SEC cyber rules

Cybersecurity teams at both public and private businesses may need to fundamentally transform their data collection practices and capabilities to enable incident reporting within a four-business-day timeframe. That said, the CISOs leading those teams should provide all the cybersecurity incident data and context they can to their company’s compliance and finance teams, which will determine whether incidents are “material” and file reports to the SEC accordingly.

To streamline and accelerate incident reporting, cybersecurity leadership should pursue several strategic operational changes. First, incident response teams should include a holistic breadth of governance functionality group ready to snap into action. That means including members empowered to communicate with the SEC and the market, supported by cybersecurity, legal counsel, and investor relations teams working in close collaboration.

CISOs should also explore revisions to their incident response data collection and forensic analysis processes as well, to improve methods or introduce new data aggregation solutions that deliver more timely reporting. Cybersecurity teams must report early and continuously in the aftermath of an incident. The right procedures to support iterative reporting make a crucial difference in reporting speed. Updating risk management processes is another critical practice, while also keeping in mind annual form 10-K requirements to report risk assessment program practices. Demonstrating and detailing effective risk assessment and management will help put both investors and the SEC at ease.

Finally, automated anomaly detection and policy management capable of quickly flagging and tracking attacks to their source (such as those coming via insufficiently secured IoT devices) are invaluable to both accurate and timely incident reporting and cybersecurity itself. Active forensic analysis should include topology reporting to determine the devices and connections involved in an incident. Flow analysis is also valuable for identifying the protocols used in compromised device communications and tracking any data transferred, and packet capture can provide insights into attackers’ techniques. Cybersecurity teams should also have the means to track device timelines, including complete histories of employee or software-induced device changes, discovered vulnerabilities, and mitigation activities.

Use the SEC’s requirements to bolster cybersecurity effectiveness

The transparency that the SEC’s cyber rules now demand will force many businesses’ hands to optimize their cybersecurity practices and increase the speed and accuracy of their incident reporting capabilities.

As attacks become more sophisticated and consequential, establishing clear visibility into incidents will only pay greater dividends moving forward, both in terms of SEC compliance and market success.