New SEC Cybersecurity Rules Take Effect December 2023

December 13, 2023

As if there aren’t enough things for companies to deal with during the holiday season, new cybersecurity rules from the U.S. Securities and Exchange Commission (SEC) takes effect December 15, 2023. They primarily affect publicly listed companies, but private and smaller companies may be impacted as well.

Disclosure Requirements

The complete text of the new requirements can be found here, but the following provides an overview of what’s included.

Publicly listed companies must disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material. They must describe the material aspects of the incident's nature, scope, and timing, as well as its material impact — or reasonably likely material impact on the registrant.

Item 1.05 Form 8-K is due four business days after a registrant determines that a cybersecurity incident is material. It may be delayed if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of this in writing.

Large companies must start disclosing cybersecurity incidents on December 18, 2023. Smaller companies have until June 15, 2024. Companies that fail to meet the rule’s requirements are subject to SEC fines and legal action. The amount of the potential fines hasn’t been released, but the SEC has previously fined companies up to eight-figure sums for cyber incidents.

In addition, the new rules add Item 106 to Regulation S-K. This requires companies to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.

Item 106 also requires a description of the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant's annual report on Form 10-K.

The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.

Private Company Considerations

The SEC cybersecurity rules apply to publicly listed companies. However, it’s in the best interest of private companies to understand the rules and requirements as well.

Most public companies work with various third-party software and supply chain companies, and a cyberattack at any point along that chain could have a material impact. As such, third-party companies — public and private alike — need to be proactive in strengthening their cybersecurity defenses. Having a robust incident response plan in place should be included in those efforts.

The SEC Means Business

If there’s any doubt that the SEC isn’t serious about cybersecurity, its charges against Texas-based software company SolarWinds Corporation and its chief information security officer show it definitely is. The lawsuit is already being seen as a game changer for how cybersecurity will be handled and reported on by listed businesses.

The complaint alleges that SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and its CISO knew of specific deficiencies in its cybersecurity practices, as well as the increasingly elevated risks the company faced at the same time. Just one day after the lawsuit was filed, SolarWinds shares dropped 1.5%. The longer-term repercussions for the company remain to be seen.

Stronger Cybersecurity

Whether or not your organization is subject to the new SEC rule, there are numerous things you can and should do to strengthen its security posture. That includes:

  • Implementing a recognized cybersecurity framework like the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework). This provides a structured approach to managing and mitigating cybersecurity risks.
  • Performing a comprehensive gap analysis to identify vulnerabilities and weaknesses in your cybersecurity infrastructure.
  • Conducting a risk assessment to identify and prioritize potential threats and vulnerabilities.
  • Identifying and closing the cyber gaps that pose significant risks to your company’s operations and reputation. Close those gaps in priority order by criticality, cost, and effort.
  • Fortify your cyber defenses by adopting a defense-in-depth strategy, which layers security measures to provide multiple lines of defense.
  • Establishing a robust incident response plan.
  • Enlisting the help of experienced, third-party cybersecurity and IT risk management experts to identify and address cybersecurity risks effectively.

If your organization is subject to the new rules, work closely with your legal team and senior leadership to determine what constitutes materiality for your company. It should align with what a “reasonable investor” would consider significant.

Review all the other requirements of the new rules as well, and pay attention to all deadlines. You can find more details about the new rules here.