With the rapidly increasing number of cyber threats, the U.S. Securities and Exchange Commission (SEC) has released new guidelines to help public companies protect their data and investors. The new guidelines would require public companies to file periodic disclosures about their cybersecurity practices and notify the SEC within 96 hours of a material breach. Let's look at how these regulations can help protect companies from cybercrime.
The SEC's new guidelines, released in May 2022, outline a set of Disclosure Controls and Procedures (DCP) that public companies must follow when filing periodic reports. The DCP includes the company's cybersecurity risk management program, risk assessment processes, incident response plan, and cyber insurance policies. Companies must also disclose any "material" cybersecurity events that could hurt the company or its investors.
The new rules, issued by SEC Chair Gary Gensler earlier this year, replace previous guidelines on handling and disclosing cyber risk. Companies must disclose data breaches within 96 hours and information about management's and the board's oversight of cybersecurity risks, the company's cybersecurity policies and procedures, and how cybersecurity risks and incidents are likely to impact the company's financials. They also released a fact sheet to help streamline the process.
According to the Global Digital Trust Insights report from PwC, only 9 percent of the respondents feel confident that they can effectively meet all disclosure requirements — even as pressure mounts from regulators to report cyber incidents. In Europe, for instance, the European Union Agency for Cybersecurity (ENISA) requires critical service providers to report to national authorities in the event of any significant cybersecurity incident.
The U.S. Securities and Exchange Commission is considering a rule requiring publicly held companies to disclose their cyber risk management, strategy, governance, and “material” cyber incidents. Proposed U.S. Cybersecurity and Infrastructure Security Agency (CISA) rules, mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) signed into law last March, would require critical infrastructure organizations to report major cyber attacks and breaches within 72 hours and report within 24 hours any ransomware payments they make.
Given the rising number of cyber-attacks, public companies must have robust security protocols. The new regulations help ensure that all public companies implement cybersecurity measures that meet industry standards. Additionally, they provide greater transparency for investors to make more informed decisions when investing in a company. A vital element of these new regulations is that companies must report any material breaches to the SEC within 96 hours of being discovered, not necessarily having them remediated. This transparency allows regulators to investigate any suspicious activity quickly, reducing the risk of further damage or loss. It also makes it easier for investors to assess a company's security posture before making an investment decision.
The new guidelines require that publicly traded companies provide periodic disclosures about their cybersecurity preparation and implementation plans and updates on any material breaches they may experience during this period. These reports will give investors an accurate picture of how well-prepared a company is to handle potential cyber threats and any vulnerabilities in its systems or networks. In addition, it allows them to gauge whether or not management is taking adequate steps to protect company assets and customer information.
By following these five steps, public companies can ensure compliance with the SEC's new cyber security disclosure regulations and protect their data and investments from cyber threats. Security has never been a one-and-done responsibility, and it must be treated as an area for continuous investment, automation, training, and improvement.
The new guidelines released by the SEC ensure that publicly traded companies take appropriate measures to protect themselves against cyber threats and investor interests. By requiring reporting obligations and timely notification requirements, these regulations will help create greater visibility into a company's preparedness against emerging cyber risks while providing investors with more confidence when deciding where to invest their money. These regulations are critical for helping maintain trust between businesses, customers, and investors alike in today's digital world.
Take the next step toward continuous security improvement
With SimSpace, you can assess
and optimize your complete
security posture — all in one platform