Updated federal guidelines emphasize transparency and swift action to safeguard organizations, stakeholders, customers, and their communities. As cybersecurity teams adjust to the government’s latest directives, security leaders must prepare and ensure compliance with these new regulations.
In late July 2023, the Securities and Exchange Commission (SEC) released new requirements surrounding cybersecurity incidents and their disclosures that went into effect this past December. The mandate requires companies to share any security incidents under a tight deadline and detail their organization’s security strategies, risk management, and governance.
With cyberattacks reaching an all-time high in 2023 and ransom prices skyrocketing, these new guidelines are meant to institute a new systemized approach and enhance how security incidents are disclosed. And these rulings are not just for US companies. Any company listed on the US exchanges is subject to the SEC reporting requirements and must abide by these disclosure requirements.
As 2024 begins, here’s what organizations need to know:
Background: Securities and Exchange Commission (SEC)
After the 1929 Wall Street crash, the SEC was established as an independent US federal government agency that works to enforce security laws against market manipulation. The organization aims to inform and protect investors, facilitate capital formation, enforce federal securities laws, regulate securities markets, and provide data.
From providing emerging scam alerts to compiling resources for small businesses to aggregating and reporting APIs for financial data, the agency aims to protect American households that have turned to the securities market to invest in their futures.
The Significance of the New SEC Guidelines
Cyberattacks, supply chain attacks, network intrusions, and ransomware have snowballed into a daily occurrence, and the industrial, financial, and federal government sectors weather the brunt of these attacks. In 2023, data breaches reached an all-time high, with the global average cost being around $4.45 million.
As a result, cybersecurity governing bodies are hawk-eyed in enforcing cyber policies. In March 2022, the federal government issued the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) to implement and standardize the reporting of cyber incidents and ransomware to the Cybersecurity and Infrastructure Security Agency (CISA).
These new 2023 SEC rules that took effect at the end of last year aim to increase companies’ transparency and responsibility by disclosing their specific security incidents and overall cybersecurity strategies within four days of incident investigation. The latest measures underscore the crucial role of security strategies, considerations, and accountability in corporate governance and reporting. These actions prioritize the protection of a company’s assets and data along with its obligations to its clients and investors.
New Responsibilities and Compliance
Per the new requirements, public and private companies must now inform their investors of any relevant breaches or data loss issues within four business days of the incident investigation. They must also provide annual insights into their comprehensive security measures, risk management tactics, and broader cybersecurity strategy. Companies must also tag disclosures in the Inline eXtensible Business Reporting Language within specified timeframes to comply with structured data requirements.
Failure to comply could result in legal consequences and hefty fines. In 2023 alone, the SEC filed 784 enforcement actions, ordered $5 billion in financial remedies, and distributed $1 billion to harmed investors. The rulings covered a range of violations in the security industry, from billion-dollar fraud to threats from crypto investors involving asset securities and cybersecurity. While maintaining protections for whistleblowers and investors, the agency charged various violators, from public companies like Goldman Sachs to social media influencers.
So, What’s Next?
Shifting into 2024, organizations must prioritize a culture of responsible and transparent cybersecurity practices in the rapidly evolving digital world. This involves timely, detailed, and brutally honest incident disclosures to build trust among customers, stakeholders, and their community at large.
For some organizations, complying with these new mandates will require a fundamental shift in cybersecurity protocols. They must reinvest and increase their cybersecurity and risk management strategies that could impact investors. Some initial tips to get started:
- Come up with a comprehensive system for identifying, maintaining, and reporting cybersecurity threats and events.
- When working with third-party companies, it’s crucial to assess the risks involved – particularly those with investor or client relationships.
- Review the readiness of all teams within the organization to respond appropriately to security incidents of any size.
- Strike a balance between disclosing sufficient information about security incidents to investors to avoid legal issues while ensuring that no further risks are posed to the company.
As for investors, the new rulings should bolster their position and increase their awareness of what they are investing in. These new requirements for incident and annual strategy disclosure will now provide them insights into breaches or risks that could affect their investment decisions.
Moving forward, all companies must prioritize finding a cybersecurity solution that consolidates and reinforces the company’s defenses to strengthen their cybersecurity posture to meet these new SEC regulations.
