The U.S. Securities and Exchange Commission (SEC) has implemented a new rule requiring large public companies to report any cybersecurity breach within four days. The rule, which went into effect on Monday, mandates that companies disclose any breach that is determined to be “material” and has a significant impact on the company’s financials, operations, or relationships with customers. Smaller businesses have an additional 180 days to comply with the reporting rule. Companies are also required to create annual reports detailing how they manage cybersecurity. The responsibility of assessing the impact of a breach on financials will likely fall on CFOs and CISOs. Industry experts stress the importance of CFOs understanding cyber risk and working closely with CISOs to address and manage these risks.
Some companies may struggle with determining what constitutes a material cybersecurity incident and responding within the four-day reporting window. Materiality considerations involve assessing the nature, extent, and potential magnitude of the breach, as well as its impact on reputation, customer relationships, and talent. Companies are advised to establish cybersecurity response teams comprised of members from IT, legal, CFOs, CISOs, and other relevant departments to handle the entire incident identification, response, and disclosure process.
The new SEC rules are expected to have a significant impact on the cybersecurity industry, as companies increase spending on security products and services. Worldwide spending in this sector is projected to reach $219 billion in 2023 and rise to nearly $300 billion in 2026, according to industry research firm IDC. Analysts at Wedbush also consider the SEC rules a potential game changer for the cybersecurity industry.