With the constant threat of cyber attacks against corporations of all sizes, last week the U.S. Securities and Exchange Commission (SEC) introduced new cybersecurity disclosure rules to ensure greater transparency and accountability for publicly traded companies. 

These new rules aim to modernize the existing disclosure framework, aligning it with the evolving cyber threat landscape and emphasizing the significance cybersecurity risks pose for companies, executives, boards of directors, customers, and shareholders alike. 

Key Components of the New SEC Rules  

Central to the revised rules is an emphasis on materiality. Companies are now required to disclose any cybersecurity incident they determine to be material and describe the material aspects of the nature, scope, and timing of the incident within four business days of that incident occurring. 

In addition to having to disclose details of actual cybersecurity incidents they experience; public companies are asked to place an increased focus on the disclosure of material risk factors related to all their cybersecurity practices. Specifically, companies are encouraged to provide more comprehensive and granular disclosures outlining specific risks they face, potential impact on stakeholders, and their strategies for managing and mitigating all cyber risks. 

And finally, recognizing the pivotal role boards of directors have in overseeing cybersecurity risks, the SEC will also now require companies to divulge the level of management’s “role and expertise in assessing and managing material risks from cybersecurity threats,” offering investors valuable insights into the importance a company’s leadership places on cybersecurity practices. 

Challenges and Potential Concerns for The New SEC Rules 

While the new SEC cybersecurity disclosure rules offer new levels of transparency, some challenges and concerns have emerged. 

  1. Smaller public companies with limited resources may face challenges in complying with the detailed disclosure requirements. The SEC has acknowledged this concern and encourages companies to adopt a risk-based approach to determine the level of disclosure appropriate for their size and risk profile.
  2. Organizations may also be challenged to strike the right balance between providing sufficient information on their cybersecurity practices and safeguarding trade secrets that are essential to securing their business. As an example, companies may not want to disclose the nature of the tools, security partners, or other security practices out of concern those very details could be used against them by threat actors. 

Both Investors and Companies Will Benefit  

While some companies do have concerns about the additional reporting burdens may have on their operations, the introduction of these updated cybersecurity disclosure rules will bring several benefits for both companies and investors. 

By mandating a detailed disclosure of material cybersecurity risks and incidents, the rules promote greater transparency which will allow the public to make more informed investment decisions because they can have confidence that companies (and their management teams) have taken the necessary steps needed to mitigate modern cyber threats. The standardization of disclosure requirements will also foster comparability between companies, allowing investors to easily compare the cybersecurity practices of different companies and better assess the relative cyber risks associated with their investments. 

Secondly, because the new rules prompt businesses to proactively address cybersecurity risks and develop robust risk management strategies, public companies who may currently have lax cybersecurity practices will be forced to place increased emphasis on cybersecurity preparedness which over the long-term will strengthen their defenses against threats and better protect the data of their customers.   

Moving forward, it is essential for companies to proactively embrace these rules and prioritize cybersecurity as an integral part of their operations. Likewise, investors must remain vigilant in scrutinizing cybersecurity disclosures to make well-informed investment decisions. 

As cyber threats continue to evolve, the SEC’s commitment to updating and refining cybersecurity disclosure requirements will remain vital in ensuring that businesses stay ahead of potential risks. Through continued collaboration between regulatory bodies, businesses, vendors, and investors, we as an industry collectively bolster cybersecurity transparency, fostering a safer and more secure digital environment for all stakeholders involved. 

Learn more about how Arctic Wolf has helped thousands of teams achieve compliance.

And gain insight into Why Organizations Are Reluctant to Disclose Breaches

Originally published on the Arctic Wolf blog, August 1, 2023

Share