The Securities and Exchange Commission (SEC) has introduced a groundbreaking cybersecurity measure that represents an extensive endeavor by the United States government to enforce cybersecurity protocols.
Whether your association is with a publicly traded company, you handle data from such entities, or you provide services to them, this new regulation will undoubtedly have a profound impact on your operations.
Understanding the New SEC Disclosure Rule
Effective from September 5, 2023, the newly implemented SEC Disclosure Rule mandates the following key aspects:
- Every publicly traded company in the United States is required to file Form 8K to the EDGAR database within four days of identifying or becoming aware of a cybersecurity incident that significantly impacts their operations.
- The United States Attorney General holds the authority to grant a reporting delay of up to 30 days, extendable for an additional 30 days, if the cybersecurity incident poses a threat to public safety or national security.
- In specific cases with a substantial risk to national security, an additional 60-day reporting extension may be allowed.
- Publicly traded entities are entrusted with determining whether a cybersecurity incident bears a material impact on their operations or valuation. If deemed significant, they are obligated to disclose the nature, scope, timing, and repercussions of the incident.
Repercussions for Non-Publicly Traded Businesses
The SEC, equipped with robust investigative capabilities, is responsible for enforcing this rule and determining penalties for violations. In contrast to the FTC Safeguards Rule, which outlines specific penalties and regulations, the SEC's disclosure rule operates within a more flexible framework, encompassing the definition of a "material impact" and the subsequent actions taken by the agency. In the most severe instances, federal investigators might take measures to secure documents and devices if your involvement is suspected in a cybersecurity incident impacting a publicly traded company or if your business is identified as the source of a data breach.
Unintended Inclusion in SEC Investigations
Several scenarios could unwittingly lead your business into the scope of an SEC investigation:
- A franchisee of a national corporation faces a data breach that exposes clients' personal financial data.
- A shipping company falls prey to a pretexting attack that leads to fraudulent orders redirecting significant resources to malicious actors.
- A conference planning agency's breach exposes sensitive attendee data.
- A marketing agency's servers are compromised, divulging confidential technical specifications of a client's upcoming product.
- A law firm's emails are breached, revealing details of patent filings and legal disputes involving clients.
- A medical practice's wireless network is breached, enabling hackers to steal the private health information of corporate executives.
- A mortgage brokerage's file transfer system compromise reveals property valuations of referrals.
- A corporate website breach exposes administrative credentials.
Categorization of these scenarios into three main groups:
- Data breaches revealing customer data owned by a client.
- Hacking attacks unveiling a client's proprietary information, internal data, or intellectual property.
- Credential theft or the compromise of protected personal information impacting a client's leadership or personnel.
Even minor incidents, such as a phishing attack revealing your email contacts, can hold significance if it aids hackers in launching targeted assaults on your clients. Pretexting attacks diverting payments, essential materials, or finished goods with a notable impact on a client's sales could also qualify as material. Ransomware attacks disrupting a client's services and operations could be deemed substantial.
While the obligation to report cyber incidents lies with publicly traded entities, their ability to comply relies on cooperation from vendors, franchisees, partners, and service providers. Be aware that if your business is linked to a cyber incident jeopardizing a client's operations, you might come under investigation, with your cybersecurity protocols under scrutiny. The publicly traded company will face SEC penalties, your client relationship will suffer, and your reputation will be tarnished.
Dealing with the SEC is undesirable due to the length, disruption, and financial burden of investigations. Publicly traded corporations will likely demand accountability from partners, vendors, and assurances – possibly legally binding ones – about the reporting of cybersecurity incidents. For non-publicly traded businesses, compliance may entail:
- Documentation of prevailing cybersecurity standards, encompassing incident monitoring and security updates.
- Records of employee training methods related to cybersecurity.
- Written strategies for promptly reporting cybersecurity incidents to affected clients.
- Comprehensive plans for responding to and mitigating cyberattacks, including an evaluation of data compromise or potential third-party breaches.
Expect requests for this documentation from clients, along with potential demands for additional nondisclosure agreements (NDAs) outlining specifics of cyber incidents, potentially integrated into service contracts or contract amendments.
Understanding the Rationale Behind the FTC's Addition of This Reporting Rule
The SEC's introduction of this disclosure rule is underpinned by two primary motivations. Firstly, echoing several law enforcement agencies, the SEC recognizes that cybercrime is underreported. By expanding its authority to cover this domain, the SEC aims to enhance reporting compliance, discouraging businesses from discreetly paying ransoms or downplaying minor cyber breaches.
Secondly, the SEC identifies shortcomings in current reporting practices, where cybersecurity incidents are grouped with other business challenges. The standardized reporting format empowers shareholders to gauge the frequency and severity of cybersecurity incidents, providing them with an additional criterion for evaluating investment opportunities.
Furthermore, with a broader unspoken objective, the disclosure rule puts anyone connected with a publicly traded company on alert that their interactions with clients are subject to federal scrutiny. This likely aims to encourage widespread adoption of cybersecurity best practices across all U.S. enterprises, creating hurdles for cybercriminal activities. In essence, it represents the most significant effort by the U.S. government thus far to establish cybersecurity as a fundamental element of business operations.
Enforcement of the Cyber Incident Disclosure Rule by the SEC
The manner of enforcement remains uncertain, given the SEC's tendency to address violations on a case-by-case basis. Typically, the SEC issues warnings initially for first-time offenders or minor breaches around the introduction of new regulations. However, for significant breaches or repeated violations, extensive investigations with substantial penalties tend to follow. This may lead to a surge in demand for services, with providers struggling to keep up and companies scrambling to find assistance. Taking this matter seriously now, assessing your needs, and seeking professional cybersecurity support, if necessary, is recommended.
It's noteworthy that compliance with the new disclosure rule does not mandate the involvement of an experienced or certified professional to oversee or report cybersecurity incidents. Most small businesses can manage compliance independently or with the assistance of a Virtual Chief Information Security Officer (VCISO).