Are You Prepared to Comply with the New SEC Cybersecurity Rules?

A cybersecurity breach can significantly impact a company’s stock value. A 2019 study by Bitglass found that publicly traded companies lost 7.5 percent of their stock value after suffering a security incident. On average, it took 46 days for the stock value to recover. Clearly, a security breach poses a risk to investors.

The Securities and Exchange Commission has taken action to address this risk with new rules requiring companies to disclose “material” security incidents on Form 8-K. Companies must determine the incident’s materiality as soon as possible after discovery, then file the report within four business days.

That’s a tall order for many companies. When the SEC first proposed the new rule, many public companies complained that four days would not give them enough time to gather the necessary information. They also argued that publicly disclosing breaches before they were fully contained could allow hackers to expand their attacks. Nevertheless, the new rules became effective on Sept. 5, 2023, and companies must report incidents as of Dec. 18, 2023.

Interested In Learning More?

Details of the New Requirements

Under the new rules, a security incident is broadly defined as any “unauthorized occurrence … that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” It doesn’t necessarily mean that sensitive data is compromised. An incident could disrupt the company’s operations in a way that impacts production or reduces revenue.

A material incident is one that a reasonable investor would consider important. An incident that harms the company’s reputation might be considered material, even if the immediate financial impact was relatively modest. Companies should continue to assess incidents that aren’t initially found to be material to determine if their status changes. For example, a series of minor incidents might become material when considered as a whole.

The report must provide investors with a sense of the incident’s scope. This includes the date it was discovered, whether it has been remediated, and whether any data was accessed, stolen or otherwise compromised.

Annual Reports Also Required

Incident reporting only gives investors a snapshot of what has gone wrong. To provide a bigger picture of overall risk, public companies must also disclose their cybersecurity strategies in their annual reports. This includes internal policies and procedures and management’s expertise in implementing those policies. The report should also discuss how the board of directors remains informed and manages cybersecurity risk.

Additionally, the report should explain the company’s incident recovery and business continuity plans, and provide specific examples of risks that are likely to impact the company’s operations. Public companies must include these disclosures in their annual reports for fiscal years ending on or after Dec. 15, 2023.

How DeSeMa Can Help

E-discovery tools play a key role in rapid response to security incidents. They provide the context needed to prioritize and respond to security alerts, and automate many of the activities needed to contain threats. They can also help identify the root cause of an incident so that organizations can remediate vulnerabilities to avoid future incidents.

Many organizations are paying for third-party e-discovery tools they may not need. The DeSeMa team can tune the tools included with Microsoft 365 or Google Suite to assist with the reporting required by the SEC. If the organization does have to go through discovery, we are a third-party audit organization and can perform forensics on the systems themselves.

New SEC rules require organizations to provide detailed reporting on security breaches, including how long the attackers were in the network, the estimated number of records stolen and more. DeSeMa has extensive experience and a very large toolset we can bring to bear to help organizations meet these requirements.

In our next post, we’ll explain some of the ways we actually fight back against attackers.