In July 2023, the US Securities and Exchange Commission (SEC) increased their standards regarding cybersecurity disclosures. These rules became effective for most registrants on December 18, 2023. However, for smaller reporting companies SEC cyber disclosure requirements will become effective in June 2024.
“Proactive cyber mitigation strategies are critical when it comes to cybersecurity. Start with the fundamentals like identifying and patching vulnerabilities, implement endpoint detection and response, enable multi-factor authentication, quarterly cyber awareness training for employees, implement an Incident Response plan to include notification, etc. Most importantly, regularly test your cybersecurity posture and measure it over time with metrics.” – Tab Bradshaw, Chief Operating Officer, Redpoint Cybersecurity |
These requirements state that businesses must use Form 8-K (or Form 6-K for foreign issuers) to report cyber incidents if they occur within 4 business days. They also state that organizations must report their cybersecurity risk management, strategy, and governance using Form 10-K (or Form 20-F for foreign issuers) on their annual reports.
Consistent failure to comply with these reporting requirements or misleading disclosures could potentially lead to enforcement actions by the SEC. For this reason, you must understand these requirements and how they may affect your business.
Why Are The SEC Cyber Disclosure Requirements In Place?
The SEC cybersecurity disclosure requirements were implemented to ensure that public companies promptly inform investors about material cybersecurity incidents. This initiative aims to standardize reporting practices across companies, thereby aiding investors in making well-informed decisions.
A material cybersecurity incident is any significant security event that negatively impacts a company’s operations, financial status, or public image. Such an incident typically involves unauthorized network access or damage to data or systems. |
By mandating these disclosures, the SEC seeks to enhance transparency regarding how companies manage and mitigate such risks. Having this transparency also encourages organizations to improve their overall cybersecurity strategy.
Who Needs to Follow SEC Breach Reporting Requirements?
Public companies in the United States, including foreign private issuers, are required to follow the SEC’s breach reporting requirements. In other words, any company that is publicly traded in the US is subject to these requirements, regardless of their home location.
What Types of Incidents Are Subject to SEC Data Breach Notification Requirements?
Unauthorized Access to Information Systems
Incidents where unauthorized individuals gain access to a company’s digital systems pose a substantial risk to the confidentiality, integrity, and availability of sensitive data. Companies must report these incidents if they have a material impact that could affect the company’s financial condition or a reasonable investor’s decision.
Data Loss
Loss of data, either through accidental deletion or through a cyber attack, qualifies for reporting when it significantly impacts the company’s operations or reputation. Considering that 26% of businesses lost $250,000 and $500,000 in 2022 this way, taking time to guard against data loss service more than preparing yourself for a report.
Ransomware Attacks
Ransomware attacks are subject to SEC reporting if they materially disrupt a company’s ability to conduct business or result in significant financial losses. Almost all ransomware attacks cause either issue or both, so it’s safe to assume that any ransomware attack will qualify.
What Else Do You Need to Know? |
Unauthorized Disclosure of Confidential Information
The unintended release of confidential information to unauthorized parties must be reported if the disclosure could materially affect investor decisions or the company’s market value.
Zero-Day Attacks
These incidents exploit vulnerabilities that are unknown to the organization at the time of the attack. While they are always a concern, they must be reported to the SEC if they allow unauthorized access to material information or significantly impair critical operational functions.
SEC Cybersecurity Checklist For Filing Reports
For Form 8-K or Form 6-K
Description of Incident | Briefly explain what happened during the cybersecurity incident, including how it was discovered. Investors need to understand the nature of the threat and its potential impact. |
Impact Assessment | Outline the immediate consequences of the incident on your company’s operations and/or financial status. This helps investors gauge the severity of the incident and its potential effect on their investments. |
Response Actions | Detail what measures you took or are currently taking in response to the incident. This information demonstrates your capability to handle such incidents. |
Delay of Disclosure (if applicable) | There are situations where an organization can delay disclosure. Specifically, if immediate public reporting of the incident would pose a significant risk to national security or public safety. However, this decision requires the United States Attorney General’s approval. Once the Attorney General concludes that revealing the incident promptly would endanger national security or public safety, they will notify the SEC in writing. |
For Form 10-K or Form 20-F
Cybersecurity Risk Overview | Provide a general assessment of cybersecurity risks your company faces to keep investors informed about potential future risks. |
Risk Management Strategies | Describe how your company plans to mitigate cybersecurity risks to show how you will minimize the impact of potential incidents. |
Governance & Oversight of Cybersecurity Risks | Explain your cybersecurity governance structure, including the role of the board of directors and management. Transparency about governance practices can boost investor confidence in your company’s cybersecurity posture and management’s accountability. |
Ensure Your Cybersecurity Standards Are Up to Standard Before You Need to File a Report
No one expects an incident. However, even if you have full confidence in your cybersecurity standards, you need to know that you’re ready if you ever need to file a report. You might think you are, but it’s easy to let something slip by if you don’t get a professional to look at it.
Redpoint Cybersecurity has over 30 years of combined military-grade cybersecurity experience. We’re used to protecting highly-guarded national assets, so we’re confident that we can help you. We’ll take a look at your security posture to assess your readiness and then provide practical advice on how you can enhance it.
Contact us today to get started.