Effective mid-December 2023 (or “affective” depending on your perspective and circumstances), the Security and Exchange Commission (SEC) released its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, first introduced on July 26, 2023.
The use of “effective vs. affective” was pondered here because a public company’s response to this new ruling will largely depend on the maturity of its cyber risk program, coupled with known cyber events that previously occurred causing material damage. In short, this regulation will likely elicit a dismissive shrug from those public companies with an effective cyber risk program in place, but should serve as a wakeup call for organizations unprepared to meet this new directive.
Why was this Ruling Introduced?
The reason this new ruling was put into effect is expressed by SEC Chair Gary Gensler, who issued the following statement: “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
This new regulation mandates that public companies disclose material cybersecurity incidents when they occur and they must also disclose material information annually regarding their cybersecurity risk management, strategy, and governance processes.
What is Meant by “Material” and How does the Disclosure Process Work?
This ruling only impacts public corporations or companies with customers who are public entities and "material" implies any cyber event that could cause an investor to lose financial confidence in that public corporation. SEC registrants will be required to notify the SEC within 96 hours (four days) if the cyber event was material and disclose this information on the new item 1.05 of Form 8-K.
The new rules also require that registrants describe their internal processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
In addition, it requires registrants to describe their board of directors oversight responsibility related to risks from cybersecurity threats along with management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant's annual report on Form 10-K.
How Can the SEC Effectively Enforce this New Regulation?
As is frequently the case, regulatory enforcement, especially with new rulings, is the big elephant in the room. The overarching goal of regulatory bodies responsible for compliance oversight in any industry is to be able to demonstrate that mandates are enforceable.
Having over 30 years of experience in the IT security industry and using history as a guide, it’s reasonable to assume that companies with household names will attract the most attention from SEC regulators, especially with the early enforcement of this new regulation. However, this does not mean lesser known public companies will be immune to SEC oversight.
SEC regulators will likely adopt a tried and proven method to promote compliance by using the media as its platform to make examples of high profile companies that experience a cyber event. The widespread negative publicity that accompanies these thoroughly scrutinized breaches puts all organizations on alert across the board.
While there are countless examples to support the effectiveness of this approach, a few of the more notable breaches and fraudulent behavior that drew massive public attention over the years include Home Depot, Facebook, Microsoft, Sony, Target, Yahoo!, T.J.Maxx and Enron.
How Will this New Ruling Impact Your Organization?
As a point of reference, annual revenues of public companies generally range from around $250M up to hundreds of billions of dollars. When cyber breach losses occur at larger public entities like those mentioned above, there may be a few hundred million dollars in jeopardy and a dip in stock price.
However, when these penalties are put into proper context, hundreds of millions of dollars assessed in fines against annual revenues in the billions represent a relatively minor loss of under one percent. And while the company’s stock price may take a hit in the short term, it typically returns to previous levels over time.
But, what if your firm falls into one of the lower revenue categories? Do you have the fiscal reserves to absorb such a loss? Do you have cyber insurance to mitigate the damage and even if you do, how will that affect ongoing insurance costs? What if the breach were to occur with Q4 online sales in the balance during the holiday season, when 80% of your revenue is realized?
Or worse yet - and this is a paramount concern of the SEC - what if the breached corporation were in the midst of a merger or acquisition where such a breach could jeopardize the transaction or greatly reduce a company’s valuation?
Conclusion
Perhaps the most critical question to ask here is how many of these public entities, especially on the lower end of the revenue spectrum, have adequate cybersecurity programs in place? Establishing an effective risk mitigation process requires the deployment of governance, risk and compliance software that provides the ability to:
- Identify, monitor and track risks through the mitigation life cycle to help prevent cybersecurity events;
- Properly detect, contain, eradicate, document and recover from cyber incidents.
Implementing an automated, repeatable, and scalable cyber risk management practice gives organizations of any size the ability to effectively evaluate any material or non-material cyber event and deliver a demonstrable, measured response. With proactive cybersecurity processes in place, you’re able to:
- Establish best practices internally and validate you meet regulatory compliance;
- Mitigate breach exposure and minimize or potentially eliminate material damage;
- Avoid incurring penalties resulting from non-compliance.
Why SimpleRisk?
SimpleRisk offers a comprehensive GRC and Incident Management platform that was purpose built by a security practitioner for security professionals, enabling organizations of any size or industry in the public or private sector to establish a comprehensive, effective cyber risk management practice without breaking the bank.
With nearly 100,000 downloads of its free and open source product, SimpleRisk Core, and some of the largest global companies using the commercial version of SimpleRisk, its award winning GRC platform has proven to be:
- Simple – Designed so that anyone can use the system, promoting wide adoption;
- Effective – Ability to identify, prioritize, track and mitigate any type of risk;
- Affordable – Unlimited users with the strongest ROI in the GRC space, bar none.
If you’d like to learn how SimpleRisk integrates governance, risk management and compliance together in a way that’s easily digestible by both security practitioners and business stakeholders alike, we offer several options:
- Download SimpleRisk Core and install it in minutes to begin utilizing our free and open source platform.
- Start a 30 Day Trial for free unlimited access to your own dedicated instance of SimpleRisk with all of the SimpleRisk Extras.
- Schedule a Demo for a live demonstration of the application, covering topics such as using SimpleRisk to manage your risks, governance, compliance, risk assessments, incidents and reporting.
- View a recorded demo where CEO and SimpleRisk creator, Josh Sokol, covers all of SimpleRisk’s functionality, various use cases and pricing in 40 minutes.