Why You Need to Understand SEC Cybersecurity Breach Disclosure Rules

The U.S. Securities and Exchange Commission (SEC) is an independent federal agency responsible for regulating security markets and protecting investors. It was created in the wake of the stock market crash of 1929 to prevent a recurrence of the Great Depression. The Commission has the power to bring civil actions against lawbreakers and cooperates with the Justice Department in pursuing criminal charges when appropriate.

Publicly traded companies are required to abide by rules and standards defined by the SEC. The prevalence of data breaches affecting companies under the purview of the SEC and investors has resulted in the Commission developing new cybersecurity breach disclosure regulations. This post will discuss why you should care about the new regulations, their impact on regulated entities, and the processes required to maintain compliance with them.

An Overview of the SEC Cybersecurity Breach Disclosure Rules

The SEC released its final rule regarding Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure on July 26, 2023. The disclosure requirements went into effect as of mid-December 2023. Some smaller companies can take advantage of a 180-day deferral before being subject to the rule.

The rule is an extensive document that addresses investor demands for enhanced transparency regarding data breaches and the cybersecurity measures companies put in place to secure sensitive information. Its purpose is to make companies responsible for providing investors with current and consistent information about how they manage cyber risks. This information can then be used by investors to make informed decisions regarding their investment strategies.

Investors and stakeholders must receive timely and accurate disclosure of cybersecurity incidents for multiple reasons that include:

• Maintaining trust that the organization can effectively handle sensitive information and protect investors’ interests;
• Assessing a company’s risk management and cybersecurity preparedness to assist with making investment decisions;
• Evaluating the financial implications of a cybersecurity incident in the company which may influence investment decisions;
• Preventing insider trading which may result from the exploitation of sensitive information involved in an insider-initiated cybersecurity incident.

Details of the Final Disclosure Rule

The final rule encompasses disclosures related to cyber incident reporting, cyber risk management strategy, and cyber governance. Let’s look at the specific disclosure requirements public companies need to comply with for each item.

Cyber incident reporting

• Companies need to report material or substantial cybersecurity incidents on form 8-K within four business days of determining materiality.
• The nature, scope, timing, and material impact of the incident need to be described.
• A determination of materiality should be based on qualitative and quantitative factors regarding federal securities law materiality.

Cyber risk management strategy

• Companies are required to describe their processes for assessing, identifying, and managing cybersecurity risks.
• Organizations need to disclose how cybersecurity fits in with their comprehensive risk management posture.
• The way risks from cybersecurity threats may materially affect the company need to be described.

Cyber governance

• The methods that the company’s board employs to provide oversight and remain informed regarding cyber risks.
• The role management plays in assessing material risks and implementing effective cybersecurity policies and procedures.
• Identification of specific management positions responsible for assessing and managing cyber risks.

The Scope of Cybersecurity Incident Disclosure Regulations

Disclosure requirements are predicated on the severity and materiality of a cybersecurity incident. The following two criteria need to be met to trigger mandatory disclosure.

A significant cybersecurity incident needs to have occurred. Significant incidents are those that significantly disrupt a company’s ability to maintain business-critical operations. This includes internal or external data breaches, hacker attacks, and incidents of unauthorized access or use of information systems that can cause significant harm to the company, its customers, or anyone who interacts with the organization.

The second criterion is the materiality of a given cybersecurity incident. A materiality assessment considers the multiple factors in determining if disclosure is mandated including:

• The scale and severity of the incident including the number of systems affected and the duration of the breach;
• The sensitivity and value of the data affected by the incident;
• If the incident compromised personally identifiable information (PII), financial data, or intellectual property;
• Negative impacts on business operations;
• Financial ramifications including remediation cost, legal fees, and regulatory penalties;
• Reputational damage and negative publicity generated by the incident; The effects on stakeholders such as customers, investors, and employees.

Disclosure Requirements and Timelines

When a cybersecurity incident affecting a publicly traded company meets these criteria, they are required to comply with the SEC Cybersecurity Breach Disclosure Rule and meet the following guidelines.

• Companies are required to submit Form 8-K within four days of determining that the incident meets materiality and severity guidelines. Disclosure can be delayed by the Attorney General if the reporting of cybersecurity incident disclosures would pose a substantial risk to national security or public safety.
• Companies are required to make annual disclosures about their risk management, cybersecurity strategy, and governance policies. This includes defining which management positions or committees are responsible for cybersecurity threats and the expertise they bring to the task.

Regulatory Enforcement

The SEC wields the power of civil law to bring cyber-related enforcement actions against non-compliant entities. The SEC’s Division of Enforcement created a dedicated cyber unit in 2017 to address the danger of emerging cyberthreats. Substantial financial penalties can be levied against companies by the SEC as the following examples demonstrate.

• TradeStation agreed to pay a $1.5 million penalty to settle charges for failure to register the offer and sale of a crypto project.
• BarnBridge DAO and its founders will pay over $1.7 million to settle charges filed due to the company’s sale of unregistered crypto securities.
• ShapeShift AG, a Swiss company that operated out of Colorado was fined $275,000 for acting as an unregistered online crypto asset trader.

The same level of penalties can be used by the SEC to punish companies that do not comply with disclosure rules.

Best Practices for Regulatory Compliance

Companies should implement the following best practices to comply with SEC breach disclosure regulations.

• Implement comprehensive incident response and disclosure plans that incorporate SEC requirements.
• Regular risk assessments should be conducted with data collected for use in annual disclosure requirements.
• Develop streamlined communication protocols that keep management informed of cybersecurity incidents.

Minimizing the Risk of a Data Breach

The most efficient way to comply with cybersecurity incident disclosure regulations is to avoid data breaches and security issues that require disclosure. The addition of an extended detection and response platform to a company’s existing cybersecurity stack provides an advanced and effective method of reducing the chances of a data breach.

Samurai XDR employs an advanced detection engine built on NTT’s Tier 1 internet backbone to provide a unique perspective and enhanced visibility of emerging cyberthreats. The platform offers features designed to identify threats to an IT environment before they can initiate attacks that lead to costly data breaches.

• Samurai XDR identifies anomalous behavior throughout the infrastructure with machine learning and advanced analytics. The information obtained by the platform allows security personnel to conduct threat-hunting exercises to proactively address risks.
• Many data breaches are perpetrated by advanced persistent threats (APTs) which attempt to remain undetected in an IT environment while searching for valuable targets. XDR identifies the subtle lateral movements through the infrastructure that often indicate the presence of an APT so the offending entity can be investigated.
• Samurai XDR consolidates and prioritizes threat information for streamlined and productive threat management. The platform allows a small team to manage threats without expending resources that can be used to support other aspects of the environment.

Samurai XDR's Starter Plan offers companies an excellent opportunity to see the power of XDR in action. The addition of this valuable tool to your cybersecurity measures puts your organization in a powerful position to minimize data breaches and avoid SEC disclosures.