SEC’s cyber rules soon in play – brace for turbulence.

December 14, 2023
1 min read
  • Contentious cybersecurity regulations issued by the U.S. Securities and Exchange Commission (SEC) are coming into effect, requiring public firms to disclose cybersecurity incidents and risk management processes.
  • The Department of Justice (DOJ) provided guidelines on how companies could seek exemptions on immediately reporting substantial cyber incidents if doing so would harm national security.
  • The cybersecurity firm CrowdStrike and consulting firm Deloitte are advising companies on the challenging aspects of preparing for these new regulations.

The SEC regulations, which have received criticism from industry groups and Republicans, require all public companies to report significant cyber incidents to the SEC within four days of their occurrence from December 18. These rules aim to protect potential investors. In their annual reports to the SEC, these companies are also now required to detail their strategies for evaluating and managing cyberthreats. Firms are finding it challenging to determine when an incident is “material,” i.e., meaningful to investors.

The DOJ’s guidelines on data reporting exemptions are also noteworthy. Companies can seek these exemptions if the cyber threat isn’t widely understood and could lead to more threats, if the victim handles sensitive government information, if disclosing the attack could hinder remediation of a critical infrastructure attack, and if revealing the threat could expose sensitive details about government efforts to battle it.

Experts believe that their guidance committee or council will play a crucial role in successfully navigating these rules. This council should include representatives from the legal, business, and technical aspects of the company and should have the capability to respond quickly to cyber incidents. In terms of compliance, most organizations will likely play catch-up when figuring out the initial structure, making the transition a potentially bumpy one.

The rules come into effect after a spike in activity from a Chinese state-sponsored hacking group known as “the KV-botnet” that threatens commercial and home security cameras. The KV-botnet uses end-of-life products from major US manufacturers, like Cisco and Netgear, to hide its activities. Its activities have generated concerns about the risks posed to critical US infrastructure.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and