- The U.S. Securities and Exchange Commission (SEC) adopted new cybersecurity regulations which will take effect on December 15, 2023, impacting publicly listed companies but also some private companies.
- Mandatory cyber-incident reporting requirement comes into effect, with publicly listed companies expected to disclose material cybersecurity incidents in Form 8-K filings within four business days. Additionally, companies must provide information about their cybersecurity risk management and governance, and the board’s proficiency in cybersecurity.
- While primarily targeting public companies, private companies should also be vigilant as a cyberattack on a third-party vendor could influence a public company, and the SEC has indicated a willingness to impose cybersecurity regulations beyond public companies.
- Companies are recommended to involve senior stakeholders in creating cybersecurity policies, conduct regular cybersecurity awareness training, plan for cyberattacks as they are inevitable, apply cybersecurity policies to all vendors, and conduct regular risk assessments.
The U.S. Securities and Exchange Commission (SEC) has introduced new cybersecurity regulations that primarily aim at publicly listed companies but also have implications for private companies. This move is in response to the continually evolving cyber threat landscape.
Under the new regulations, publicly listed companies are required to disclose material cybersecurity incidents within four business days in Form 8-K filings. They also need to reveal their cybersecurity risk management and governance expertise in annual Form 10-K and Form 20-F filings.
Despite not being explicitly mandated, companies are expected to furnish information about their board members’ proficiency in cybersecurity. This is vital as it determines the company’s ability to manage cyber threats and oversee cybersecurity operations.
Even though these rules are specifically intended for public companies, private companies should stay informed. A cyberattack on any third-party vendor associated with a public company could lead to a material impact. The SEC has demonstrated readiness to enforce cybersecurity regulations beyond public companies, indicating the importance for private companies to remain updated on cybersecurity regulations.
Responding to these complex and evolving cybersecurity challenges requires every organization to approach this issue comprehensively. Involvement of senior stakeholders like CISO, CIO, CFO, GC/Auditor in cybersecurity policy creation, frequent training, and testing of employees on cybersecurity awareness, robust investment in cyber resilience, and meticulous planning for inevitable cyberattacks are some crucial steps organizations can take to effectively manage cybersecurity risks.
The new cybersecurity regulations stipulate that the board must oversee an organization’s cybersecurity operations diligently while concurrently focusing on the company’s growth and health. A holistic approach to understanding the regulations, preparing for compliance, and balancing cybersecurity risks with growth initiatives can help a company thrive in an increasingly digital landscape.
Furthermore, the board members should consider undertaking external cybersecurity readiness courses to secure certification credentials, considering the new rules requiring disclosure of the board’s expertise in cybersecurity.