Understanding and addressing new SEC cybersecurity rules

The Securities and Exchange Commission (SEC) on July 26 released final cybersecurity rules requiring public companies to disclose details on material incidents as well as cybersecurity risk management, strategy, and governance information. While many larger public organizations likely already have processes and resources in place to meet these requirements, emerging and middle market public companies may need to make structural and cultural changes to enhance or adopt cybersecurity oversight, management, and reporting processes to comply with the final rules.

The new rules come in response to an unrelenting cybersecurity environment, with more complex and challenging threats on the horizon. For example, 20% of respondents in the 2023 RSM US Middle Market Business Index Cybersecurity Special Report claimed their company experienced a data breach in the last year, and our team has seen breach activity escalating in recent months. In addition, 68% of survey respondents anticipate unauthorized users will attempt to access data or systems this year.

With attack methods continuing to evolve amid the increasing use of emerging technologies, including artificial intelligence, investors need to understand how threats and incidents can influence a company’s value. And this can be promoted through more consistent and clear reporting.

Determining materiality can be a challenge, as there is no specific guidance about what a quantifiable trigger is.

The impact on the company should be considered against quantitative and qualitative factors, including how a reasonable investor would view the incident.

Harm to a company’s reputation, customer or vendor relationships or competitiveness may be examples of material impact on the company, according to the final rules. The possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities, may also constitute a reasonably likely material impact on the registrant.

The final rules describe information as material “if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision.” This is consistent with the standard set out in cases addressing materiality in securities laws.

Meeting the demands of these rules requires an effective incident response program and cybersecurity risk management capabilities. The program should include plans to respond to and determine the materiality of specific incidents and provide details for how to respond to specific scenarios such as ransomware. Detailed threat simulations, or tabletop exercises, can provide practice with the plan and familiarize individuals with their defined roles within the program. A security monitoring strategy can also leverage technology to consolidate alerts across the organization. 

In addition, a managed security operations center can identify and escalate incidents to your security and SEC reporting teams in a timely manner.

The key to compliance

Compliance with the final SEC cybersecurity rules will require a differing level of effort, depending on the extent to which a company has developed its cybersecurity and risk management processes. While the challenge may seem daunting to companies without comprehensive cybersecurity capabilities and incident response programs in place, compliance is achievable.

Ultimately, creating a holistic and sustainable cybersecurity risk management program that involves clear, consistent reporting, as well as increased oversight and involvement from the board, can help your company stay in compliance with SEC guidelines and protect it against material risks that could threaten the company.