New SEC Cybersecurity Ruling: What You Need To Do Now

If you are a public company subject to the reporting requirements of the Securities Exchange Act of 1934., listen up. The Security and Exchange Commission (SEC) just released a new controversial disclosure requirements. 

This blog will answer any questions you may have about the new disclosure requirements and lay out what enterprises need to do now to maintain compliance. 

What is the SEC’s Ruling? 

The SEC’s ruling for public companies subject to SEC reporting requirements(referred to as “registrants”) took effect  September 5,. 2023. Some of the specific reporting requirements, such as including cybersecurity incidents in annual reports,  take effect on specific dates ranging from December 15, 2023 to December 15, 2024. In short, public enterprises will be required to disclose material incidents within four days. In addition, they’ll be required to reveal how they detect and address incidents while describing board oversight. 

Per the new rules, registrants will now be required to: 

1. Disclose “material” cybersecurity incidents within four business days and describe its nature, scope, timing, and material or likely material impact.
2. Disclose processes for assessing, identifying, and managing material risks from cybersecurity threats.
3. Describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks.
4. Include cybersecurity incidents in annual reports 
5. Present cybersecurity disclosures in Inline eXtensible Business Reporting Language (“Inline XBRL”) as of December 15, 2024.

Is the Ruling Positive or Negative? 

As with most new rules or laws, it depends on who you are. Reactions to the recent ruling have been all over the map. Perhaps one of the largest pushbacks is that four days is not enough time for many enterprises to confirm a breach, let alone understand its impact and coordinate notifications. 

Others believe that any move the SEC makes to increase transparency and communication is a good one. 

What Classifies as “Material” Under the New Ruling?

Perhaps the most significant point of contention and confusion around the new ruling is now to define what classifies as “material.” 

The definition of “material” may largely depend on the industry. For example, the timelines could differ when comparing a breach in the supply chain versus intellectual property theft. This has yet to be more clearly defined by the SEC, but enterprises will likely require greater explanation as December 15th gets closer.

What YOU Need to Do Now

1. First, if you are a large enterprise, recognize that this affects smaller companies too that you may be using as third-party vendors. If they are subject to a cyberattack, the trickle-down effect on your business could still require action on your part. 
2. Ensure you are prepared to report within four days if a breach occurs within your organization (hint: most companies are not!). 
3. Identify and address how vulnerabilities and breaches are currently identified, as well as reporting mechanisms. Make adjustments to allow for compliance with the four-day rule. 
4. Ensure you work with a highly qualified managed IT services provider.

Are you a large enterprise with questions about how the new SEC ruling may affect your current cybersecurity practices? Make sure you have an IT professional in your corner. Contact PK Tech, and our team can help.