Why the Effect of the New SEC Cybersecurity Rules Extend Beyond Just Public Companies

Beginning December 2023, companies must comply with the remaining SEC cybersecurity rules enacted on July 26 earlier this year, many of which took effect in September already. The new requirements mark a new era where IT risk and cybersecurity are recognized as significant business risks by the SEC. This comes as no surprise to companies that have endured significant attacks that disrupted their operations. Exposure to cyberattacks presents substantial strategic, operational, and financial risks, impacting stakeholders and investors alike. Security breaches can lead to immediate financial losses, disrupt business operations, and cause lasting damage to a company’s reputation and brand, potentially affecting its stock price. The new SEC disclosure requirements aim to promptly inform investors about security incidents, allowing them to make timely and informed decisions regarding their investments.

The introduction of the SEC’s new regulations, primarily targeting public companies, should not lead private firms to overlook their significance. The SEC’s drive for increased transparency affects all companies seeking investment, especially given the rise of “unicorn” companies in the tech sector, such as in software, fintech, and health tech. These rapidly growing startups, valued at over $1 billion, highlight the necessity for clear visibility to safeguard investor interests. The SEC is considering increasing the amount of information that some nonpublic companies must file with the agency. Members of the commission such as SEC Commission Member Allison Lee, argue that some private companies due to the substantial size can have a huge impact on the lives of thousands of people when there is a lack of visibility.

But the impact on private companies extends beyond trending intentions of the SEC. Private companies are increasingly integral to public company supply chains, meaning any significant cybersecurity incident within these private firms poses a direct risk to their public counterparts. Consequently, private companies should anticipate queries from public companies about their cybersecurity measures, incident reporting, and response strategies starting in 2024, as these elements become crucial for maintaining business relationships and trust in the evolving regulatory landscape.

Beyond the SEC, corporate credit rating agencies like Standard & Poor’s, Moody’s, and Fitch Group are also acknowledging the financial implications of cybersecurity risks. These agencies now factor in the impact of cyberattacks when assessing an organization’s credit rating. A prime example is SolarWinds, which experienced a downgrade in its S&P rating from B+ to B in April 2021, following the widely publicized 2020 cyberattack. Such downgrades result in higher capital costs, amplifying the financial consequences of significant cybersecurity incidents and underscoring the growing intersection of cyber risk and corporate financial health.

The SEC now recognizes cybersecurity risks as directly linked to a company’s financial stability. Material cyber incidents can significantly influence a company’s business strategy, financial projections, and planning. The SEC mandates not just the disclosure of recent material cyber incidents but also a detailed analysis of how past cybersecurity events have materially impacted the company’s financial health and operations. Furthermore, the SEC requires foreign private issuers to provide similar disclosures about material cybersecurity incidents occurring in foreign jurisdictions, especially if they could affect stocks traded on U.S. exchanges or owned by U.S. security holders. This shift underscores the increasing importance of cybersecurity in financial risk assessment and reporting.

Public companies will be immediately required to follow the new regulations of course. The most important is a disclosure requirement dictating that companies must report any “material cybersecurity incident” within 4 business days of the date it was determined to be material. Note that the clock starts ticking not when the incident occurs or is detected, but when it is determined to be “material.”

According to SEC guidance, the determination of material status must be made “without unreasonable delay” of first detecting the incident. The notification must be made using new item 1.05 of Form 8-K. The company must include a description of the event and include details such as the nature, timing and scope of the incident and its impact on the company. An exception to the 4-day notification requirement may be applicable if the US Attorney General determines that an immediate disclosure would post a substantial risk to national security or public safety. You can find out more about the other key provisions of the SEC regulatory actions here.

Complying with the SEC’s new cybersecurity regulations, particularly the 96-hour deadline for reporting confirmed material cyber incidents, poses a significant challenge. The critical question for cybersecurity teams and executive leadership is whether they can adhere to this stringent mandate. In the high-stress scenario of a cyber incident, four business days is a demanding deadline. Conducting tabletop exercises can be highly beneficial, providing insights into the organization’s readiness, including processes, tools, and expertise for rapid response. However, it’s important to recognize that these exercises, while helpful, cannot fully emulate the chaotic and unpredictable reality of an actual cyber breach.

For those seeking a deeper understanding of the new SEC cybersecurity regulations or in need of expert guidance to ensure compliance, HALOCK Security Labs can help you attain a deeper understanding of you required obligations and how to ensure compliance. Our skilled security teams specialize in conducting comprehensive risk assessments to evaluate your current cybersecurity posture. We provide tailored advice on how to bolster your organization’s preparedness, positioning you strongly to meet the new regulatory demands with confidence.

GUIDANCE ON HOW TO APPROACH THE SEC CYBERSECURITY RULES

Compliance Week Webinar Recording and Materials: Almost Everybody is Unprepared for SEC Cybersecurity Disclosures. But You Can Get Through This.