New SEC Regulation Requires Publicly Traded Companies to Report Cyber Incidents
A new rule from the Securities and Exchange Commission (SEC) is set to transform the way publicly traded companies handle and report cyber incidents. Scheduled to go into effect on September 5, 2023, this rule represents a significant attempt by the United States government to mandate cyber security. If you own or work at a publicly traded business, handle data provided by such a company, or simply supply them, this new regulation will have an impact on your operations.
What exactly does this new SEC disclosure rule entail? According to information provided by the Federal Bureau of Investigation (FBI), publicly traded companies will be required to determine whether a cyber incident has a material impact on their operations or valuation. If a cyber incident is deemed to have such an impact, the company must disclose the nature, scope, timing, and potential or actual consequences of the incident.
Even if you don’t own a publicly traded business, this rule could still affect you. The SEC, armed with investigative powers, will determine the penalties for non-compliance. Unlike the Federal Trade Commission’s (FTC) Safeguards Rule which has clearly defined penalties and regulations, the SEC disclosure rule leaves some aspects open to interpretation. This includes what constitutes a material impact and how the agency will follow up on incidents. In the worst-case scenario, federal investigators could come knocking on your door if you are believed to be responsible for a cyber incident that affected a publicly traded company or if your business is identified as the source of a data breach.
It’s important to understand that being ensnared in an SEC investigation is something no business wants. These investigations can be lengthy, disruptive, and costly. It’s highly likely that publicly traded companies will hold their vendors and partners accountable for any cyber incidents and demand assurances that incidents will be reported. Non-publicly traded businesses may also find themselves subject to compliance requests, such as providing documentation on their cybersecurity measures.
Anticipating questions around enforcement, it is difficult to predict the exact strategy the SEC will employ. Historically, the SEC has dealt with violations on a case-by-case basis, often issuing warnings for first-time offenders or minor breaches. However, for substantial breaches or repeated violations, extensive investigations with significant penalties have been launched. In such cases, there will likely be a surge in demand for cybersecurity services, leaving providers struggling to keep up.
So why has the SEC introduced this disclosure rule? Firstly, it aims to address the issue of underreported cyber crime. By extending its authority into this realm, the SEC hopes to compel businesses to improve their reporting and eliminate the practice of quietly paying ransoms or downplaying cyber intrusions. Secondly, the SEC believes that existing reporting practices do not provide shareholders with sufficient information. The new rule ensures that shareholders have visibility into the frequency and severity of cyber incidents, allowing them to make more informed decisions.
In a broader sense, the SEC’s disclosure rule serves as a warning to anyone involved with publicly traded companies that their interactions will come under federal scrutiny. This is intended to promote the adoption of cyber security best practices across all U.S. businesses, making it harder for criminals to carry out successful attacks. It represents the most significant effort to date by the U.S. government to establish cyber security as an integral part of business operations.
Compliance with the SEC disclosure rule is essential for publicly traded companies, and the repercussions of non-compliance can have substantial consequences. It is advisable for businesses to take cybersecurity seriously, evaluate their needs, and seek professional support if necessary. By doing so, companies can ensure that they are prepared for the implementation of the new rule and avoid potential penalties and reputational damage.
