The U.S. Securities and Exchange Commission's New Cybersecurity Disclosure Rules
Navigating the New Era of Cybersecurity: The U.S. Securities and Exchange Commission (SEC) takes a bold step with its latest regulations on Cybersecurity Risk Management and Incident Disclosure. Uncover the details of this transformative final rule impacting publicly traded companies.
Back in March 2022, the U.S. Securities and Exchange Commission (SEC) made a proposition to strengthen the existing rules and regulations concerning cybersecurity incidents and threats that have been experienced by businesses. After a period of observation and analysis, the Commission found there is an increasing ongoing risk associated with the current and emerging cyber threat landscape, and the significant impact on businesses from cyber breaches. This prompted regulators worldwide to introduce new regulations on cyber hygiene and breach notification.
Consistent with this trend, the SEC has implemented a new era of cybersecurity transparency for publicly traded companies that are subject to the reporting requirements of the Securities Exchange Act of 1934 (the “Exchange Act”). With its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, this comprehensive regulation aims to enhance investor protection by mandating prompt and detailed reporting of cybersecurity incidents that could materially impact a company's financial position, operations, or reputation.
The final rule is effective December 18, 2023 for applicable business entities. Smaller reporting companies have been given an additional 180 days after the publication of the new rule with the Federal Register, meaning this would be effective no later than June 15, 2024.
These new regulations require U.S. publicly traded companies and foreign companies that trade in the U.S. to disclose cybersecurity incidents within four business days of determining that the incident is considered material to the company’s financial performance. In addition, companies must annually describe their approach to cybersecurity risk management. Unless the United States Attorney General decides that there is a substantial risk associated with the disclosure of such information, if companies do not comply with these requirements, the SEC can act and impose fines, cease-and-desist orders, or other penalties they see fit.
It should be noted that although these regulations influence business behavior, there will also be a significant emphasis on the supply chain as third-party breaches can materially impact the end customers’ financial position, operations, and reputation. In order to learn more on how to address third party cyber security risks, you may reference Acumen’s recent blog on How to Build an Effective Cyber Security Program.
The new cybersecurity disclosure rules represent a significant shift in the regulatory landscape. Companies must adapt their internal processes and communication strategies to meet the compliance requirements. While challenges exist, the ultimate goal of enhanced transparency and investor protection will benefit the market as a whole.
Additional Resources on the SEC Final Rule:
As an Industry Trusted Advisor - Acumen can assist you.
For more information, connect with an AESI risk management and governance specialist!