SEC Tightens Reporting Requirements for Cybersecurity Incidents & Controls

As different industries become more interconnected through the internet, additional concerns and threats also begin to surface. Cybersecurity incidents can quickly create news headlines, and even impact stock prices, company reputation, and customer retention. As such, specific governmental agencies and organizations have developed key frameworks, rules, and guides to protect businesses and individuals from the impact a cybersecurity incident could have on them, and the greater industry in which they operate. It’s a global movement with regulators around the globe updating reporting guidance.

Recently the U.S. Securities and Exchange Commission (SEC) acted to update the Small Entity Compliance Guide with key cybersecurity requirements. The guide, which is intended to help small entities comply new reporting requirements, adopted key changes on July 26, which impact the cybersecurity posture of millions of companies within the United States. It is pivotal that the organizations impacted by these changes understand their new responsibilities and how to address them. Organizations may need to comply with the changes as soon as next month. The guide, which is intended to help small entities comply with the beneficial ownership information reporting rule, adopted key changes on July 26, 2023, which impact the cybersecurity posture of millions of companies within the United States. It is pivotal that the organizations impacted by these changes understand their new responsibilities and how to address them.

The Changes, Explained

Key changes to the compliance guide create additional requirements and actions which impacted organizations must take to stay compliant with the SEC. Specifically, two main components have been added to the guide surrounding disclosure of incidents and disclosure of cybersecurity risk management, strategy, and governance. Adding these two requirements to annual disclosure attestations provides the SEC with a better understanding of how an incident at an organization may impact the company, as well as the overall industry, while providing an understanding of the cybersecurity controls in place to prevent potential future incidents.

Regarding the disclosure of a cybersecurity incident within an organization, companies are now required to provide notice of an incident to the SEC through the filing of Item 1.05 Form 8-K with the agency. While the filing itself does not require thorough technical analysis of the incident, key required elements provide the SEC with an understanding of the incident’s impact. Specifically, the impacted organization must provide information surrounding “material aspects of the nature, scope, and timing of the incident; and the material impact or reasonably likely material impact on the registered organization, including the financial condition of the company and results of operations.”

Rapid Reporting of Incidents

Most importantly, organizations only have four business days, post incident recognition, to file the Item 1.05 Form 8-K. This rapid filing requirement demands organizations quickly assesses the potential impact of the incident and maintain the appropriate staffing or capabilities to articulate the surrounding context. As such, it is more pivotal than ever that organizations embrace, implement, and monitor their cybersecurity controls and policies. To do this successfully, most organizations will need to rely on additional aid from managed security providers (MSPs) to ensure that each incident is appropriately identified, contextualized, and filed appropriately with the SEC.

New Annual Reporting Requirements

While incident notification is a key update to the new SEC reporting requirements, the new changes also require applicable registrants to provide annual submissions describing their cybersecurity risk management and strategy. This disclosure will describe the process for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for “a reasonable investor to understand the processes.” Additionally, the disclosure will describe whether any risks from cybersecurity threats have materially affected, or are reasonably likely to materially affect, the registrant. This yearly reporting requirement demands a lot from companies to meet the disclosure. Specifically, organizations will need easily accessible, clearly written, and strategically proven security processes, procedures, and governance documents. Furthermore, organizations are required to describe all affiliated procedures relating to corporate board and management’s oversight of cybersecurity risks and threats, to include notification procedures and processes. Much of this key information is resident in affiliated corporate governance, often developed with the aid of a robust internal security team or an appropriate MSP.

The updated SEC rule requirements require a lot from corporations. Specifically, many of the required attestations necessitate well developed, thoroughly contextualized, and strategically proven cybersecurity policies, procedures, and governance documentation. These items are traditionally found in organizations with an advanced approach to cybersecurity and often with the input of seasoned cybersecurity professionals, many of which can be found in BlueVoyant’s Professional Services team.