- It can be difficult to comply with the many, frequently conflicting requirements; nonetheless, the main goal should be developing and implementing an efficient cyber-risk management program that goes beyond checking boxes on compliance checklists.
- Firms and businesses need to make sure that best practices are implemented throughout the organization to prevent cyberattacks and that they have a proper response strategy in place to stop or quickly remediate real threats when they are attacked.
Overview Of The New Rules
According to the new regulations, issuers must report cybersecurity events that the organization deems to be significant. This criterion is comparable to the materiality requirement under U.S. securities regulations for other 8-K disclosures. The incident’s significant effects on the company’s operations and financial condition must be disclosed by issuers. Four business days after a corporation decides it has had a significant cyber-incident, disclosures must be filed.
Critics counter that four days is insufficient to confirm a breach, comprehend its implications, and organize notifications. Furthermore, there has been a lot of confusion about what constitutes a material incident.
Additionally, U.S.-listed corporations will need to include cybersecurity risk management and governance information in their annual Form 10-K and Form 20-F filings. This information will include board competence and supervision of cybersecurity risks. For fiscal years that finish on or after December 15, 2023, these disclosure requirements will be in effect.
Not Just For Public Companies
A cyberattack at any point along that supply chain might have a major impact, even though the SEC cybersecurity regulations are directed at publicly traded corporations. Most public companies are dependent on several smaller third-party software and supply chain companies. Therefore, whether they are publicly traded or not, these third-party businesses ought to become acquainted with the new laws.
The SEC has adopted a steadfast enforcement strategy beyond public businesses and registrants like investment advisers under the direction of Chair Gary Gensler. For instance, the SEC wanted the names of clients involved in a 2020 cyberattack on the private law firm Covington & Burling in a recent case and lawsuit involving the business.
Compliance Reminders
The complexity and seriousness of the risk associated with cybersecurity must be taken into account from the perspectives of business risk, technology, reputation, and regulatory compliance. There isn’t a method that works for everyone. However, there are a few important measures that all businesses ought to think about:
- Boards of directors should include top stakeholders in cyber-risk management in their organizational structure.
- It should be clear that every cybersecurity architecture must include training and testing as essential elements.
- Businesses must make investments in cyber-resilience and preparedness for cyber-threats.
- Threats must no longer be viewed as a surprise but rather as inevitable or expected, which requires a mental shift.
- Planning the business, preparing the supply chain, and planning for continuity are crucial.
- All third-party vendors should be subject to the same cyber rules, processes, and practices.
- Regular risk assessments, a response strategy, and recovery plans are essential components of cyber strategies, policies, and procedures.
- To maintain compliance with all relevant rules and laws, businesses must regularly update their cybersecurity policies and procedures and verify their efficacy.