Fessing up is no longer optional for companies operating within the purview of the U.S. Securities and Exchange Commission. The regulatory body recently announced new disclosure rules for reporting material cybersecurity incidents. Publicly traded companies must also provide yearly updates on its cybersecurity practices.
This is a big change designed to provide investors more information about how public companies are confronting the realities of cybersecurity. “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a statement. “Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
The SEC’s new rules try to strike a balance between the importance of reporting major cybersecurity incidents and giving corporations enough flexibility that they aren’t reporting every single anomaly. Plus, there are exceptions for any disclosures that could affect national security. The new rules apply to domestic public companies as well as foreign companies trading on an American exchange.
The new rules are only for what the SEC calls “material cybersecurity incidents.” In other words, serious incidents that are going to affect the company’s bottom line, customer trust, or its ability to operate such as intellectual property theft, customer database leaks, and supply chain attacks.
Once a company decides that an incident is material, it has four days to provide a description of “the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact” on the company. However, the disclosure may be delayed if the U.S. Attorney General determines that “immediate disclosure would pose a substantial risk to national security or public safety.”
Aside from mandatory incident reporting, companies will have to fill out an annual report describing how they assess, identify, and manage material cybersecurity risks. The annual report will also bring boards of directors into cybersecurity in a more public way since companies will have to explain the board’s oversight of cybersecurity risks as well as management’s involvement in cybersecurity risk management.
The new rules will become effective 30 days after their publication in the Federal Register. The annual disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. Material incident disclosures will be required 90 days after the date of publication in the Federal Register or December 18, 2023, whichever is later.
The new rules are a wake up call to businesses that are not yet taking cybersecurity seriously enough, or are stuck in outmoded ways of securing their networks and assets. Here’s a look at what we could see in the coming months as a result of these new rules.
Zero Trust is already a major buzzword within cybersecurity, but with these new rules many companies will be looking to see what it offers beyond the hype. Prioritizing a Zero Trust strategy is an effective way to bolster cybersecurity. Tools such as Zero Trust Network Access (ZTNA) allow organizations to manage and secure network access for employees both in the office and remote. It reduces maintenance and hardware costs of on-prem appliances, and provides access to on-prem and cloud resources using identity and context for a more secure network.
The relationship between Chief Information Security Officers (CISOs) and the board is about to become more critical. Historically, CISOs have been somewhat sidelined from board attention, although this trend has been slowly improving. The new SEC rules will likely catapult CISOs front and center, as boards will have to take a more active role in cybersecurity oversight.
Smaller public companies that can’t afford the tools that larger companies can will need to find cybersecurity products that deliver top notch security without enormous expenditures. They will need to look for solutions that are easy to deploy, scalable, and cost effective, offering a full range of security features and greater network visibility.
Get ready for the SEC’s new reporting rules by upgrading your cybersecurity with a cloud-based, scalable solution from Perimeter 81. Our platform is easy to use and fast to deploy with the critical tools and technologies companies need to keep their networks secure such as Secure Access via ZTNA, Secure Internet with a Secure Web Gateway, and Firewall as a Service. All of this is delivered over our Global Backbone Network to ensure fast connections and maintain user productivity. Embrace the new SEC rules with confidence thanks to Perimeter 81’s advanced networking and network security platform.
Book a Demo today.