Public companies must prepare to meet higher standards for cybersecurity.
The SEC recently issued a rule requiring public companies to disclose when they fall victim to a material cyber attack. Companies will also have to file annual disclosures about their cybersecurity risk profile.
As cyber attacks become more common and costly, it’s important for businesses to be forthcoming about their cyber risk. This fact along with inconsistent public company reporting of cyber events compelled the SEC to mandate public companies to disclose material attacks in Form 8-K filings within 4 days of the incident being discovered along with a better appreciation of the company’s cyber risk environment.
What Requirements are in the New Rule?
The requirements fall into two categories:
- Incident Disclosure – Within 4 days of a cybersecurity incident being discovered that has a “material” impact, companies must report what happened, when/how it was discovered, who was affected and how, and what remediation is underway, among other details. All this information enters the public record.
- Yearly Reporting – Once a year, companies must file a Form 10-K report outlining their cybersecurity risk assessment program, highlighting how it aligns with strategy and planning, and what third party experts it includes.
What Does This Mean for Public Companies?
Many companies already disclose breaches and report on their security environment but not to the level the SEC expects for proper investor evaluation.
The new SEC rule will require all companies to act quickly in the wake of a cyber incident. Gathering the required information within a four-day window means starting immediately after discovery and working methodically from there. Companies will need to assess whether they have the staff and tools to understand incidents in a matter of days. Investing the time now in developing a cyber incident policy is paramount.
Closely related, companies will need to review their entire approach to cyber risk before, during, and after an attack. Reporting on cybersecurity activities will be the easy part. Much harder will be managing cyber risk effectively, month after month, even as new threats and vulnerabilities emerge.
The new SEC rule means new compliance and reporting requirements which require immediate attention.
How Do You Become Compliant?
The first step will be to perform a gap analysis between current practices and those required by the SEC. That will, in most cases, be followed by a systematic effort to close gaps. Otherwise, companies expose themselves to compliance penalties, legal action, and reputational damage—not to mention increased exposure to cyber attacks.
Public registrants will need to comply with the new annual disclosures for fiscal years ending after December 15, 2023, excluding small reporting companies that have until fiscal years ending after December 15, 2024. Incident reporting will be effective 90 days after the date of publication in the Federal Register or December 18, 2023 (later of). For small reporting companies 270 days after publication in the Federal Register or June 15, 2024 (later of).
Beyond just boosting cybersecurity, companies will need to rethink how cyber risk affects every facet of the organization. The team at Dean Dorton, with expertise spanning from cybersecurity to board oversight, is your resource for getting the new SEC rule right.
The deadline for compliance is fast approaching. Contact Dean Dorton to put a plan in place.