The latest federal guidelines demand unwavering transparency and immediate action to safeguard organizations, stakeholders, customers, and communities. Cybersecurity teams must swiftly adapt to these new directives, while security leaders need to take charge and ensure full compliance with the updated regulations.
Last July, the Securities and Exchange Commission (SEC) published new cybersecurity disclosure requirements concerning cybersecurity incidents and their disclosures, which have been in effect since December. Now, companies must disclose any security incidents within a tight deadline and provide comprehensive details about their governance, security strategies, and risk management.
Given the unprecedented increase in cyberattacks in 2023 and the exorbitant rise in ransom prices, these new guidelines aim to establish a more systematic approach and improve how security incidents are reported. It is crucial to note that these rules are not exclusive to U.S. companies; any company listed on the U.S. exchanges must comply with the SEC reporting requirements and adhere to the disclosure regulations.
As we begin 2024, organizations must understand and comply with these new mandates.
What is the SEC?
In the aftermath of the 1929 Wall Street crash, the SEC was established as an autonomous U.S. federal government agency to ensure strict enforcement of security laws against market manipulation. The organization is committed to safeguarding investors' interests, promoting capital formation, enforcing federal securities laws, regulating securities markets, and providing critical financial data.
From issuing timely alerts about emerging scams and compiling comprehensive resources for small businesses to aggregating and reporting APIs for financial data, the agency leaves no stone unturned in its efforts to protect American households from unethical market practices.
So, What Are These New Guidelines?
Cybersecurity threats such as cyberattacks, supply chain attacks, network intrusions, and ransomware have become an everyday occurrence, causing significant damage to the industrial, financial, and federal government sectors. The average cost of a data breach reached an all-time high last year - approximately $4.45 million.
To combat these threats, cybersecurity governing bodies are enforcing strict policies and regulations. The federal government introduced the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in March of 2022 to standardize the reporting of cyber incidents and ransomware to the Cybersecurity and Infrastructure Security Agency (CISA).
To ensure companies take cybersecurity seriously, the latest SEC disclosure rules that took effect at the end of last year require companies to disclose specific security incidents and overall cybersecurity strategies within four days of incident investigation.
These measures emphasize the vital role of security strategies, considerations, and accountability in corporate governance and reporting. These new regulations aim to prioritize the protection of company data and assets while fulfilling any obligations to clients and investors.
How Do I Comply?
To meet the revised requirements, it is mandatory for public and private companies to immediately inform their investors about any data loss issues or security breaches within four business days of the incident investigation. Moreover, these companies must provide yearly updates regarding their comprehensive security measures, risk management tactics, and broader cybersecurity strategy. To comply with structured data requirements, disclosures must be tagged in the Inline eXtensible Business Reporting Language within established timeframes.
It is worth noting that non-compliance can lead to severe legal consequences and hefty fines. Last year, the SEC filed 784 enforcement actions, ordered $5 billion in financial remedies, and distributed $1 billion to affected investors. While safeguarding whistleblowers and investors, the agency charged different violators, including public companies like Goldman Sachs and some social media influencers. The charges included a wide range of violations, from billion-dollar fraud to threats from crypto investors involving asset securities and cybersecurity.
What's Next?
Looking ahead to 2024, companies must prioritize a culture of responsible and transparent cybersecurity practices in the rapidly evolving digital world. Timely disclosures that are detailed and candid in their severity can build trust between companies and their investors, customers, and community.
To revamp cybersecurity and risk management strategies, consider implementing the following:
- Develop a robust system for identifying, reporting, and defending against cybersecurity threats and events.
- Assess the risks involved in working with third-party applications or companies — particularly those with investor or client relationships.
- Refresh employees on how to basic security measures and how to respond to security incidents of any kind appropriately.
- If a security incident occurs, disclose sufficient insights about the incident to investors to avoid legal issues while ensuring that no further risks are posed to the company.
The new requirements should strengthen an investor's position and increase their awareness of what they are financing. These new conditions for the incident and annual strategy disclosures will now provide them insights into breaches or risks that could affect their investment decisions.
It's high time for organizations to take cybersecurity seriously. This year, all companies must prioritize finding cybersecurity solutions that consolidate and reinforce their defenses and increase cybersecurity posture to satisfy these new SEC regulations.