Earlier this year, the Securities and Exchange Commission (SEC) announced new, stronger proposed regulations related to cybersecurity for public companies. The new requirements have not been formalized or authorized yet, but industry watchers expect movement in the coming months.
In the meantime, it’s a good idea to get ahead of the expected changes through an understanding of how this proposal may impact your cybersecurity posture. Once implemented, companies will face fines and other penalties for failing to comply with these requirements.
Here’s what you need to know about the SEC’s new cyber incident disclosure requirement, including proactive steps you can take now and network security tools that can ensure your company is in compliance with the potential incoming regulatory changes.
Why is the SEC introducing new cybersecurity regulations?
In simple terms, the SEC seeks to standardize the way cybersecurity incidents are reported and managed by public companies, including those in the financial sector. The new rules would create more accountability and establish consistent best practices related to these incidents.
In an announcement on March 9, 2022, the SEC explained that it was proposing amendments to existing rules to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.”
SEC Chair Gary Gensler added, “…cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. … I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”
Who will be impacted by the new SEC cybersecurity regulations? What are the specific regulations proposed by the SEC?
The proposed regulations include four key directives:
- Public incident disclosure within four days.
- Periodic required reporting related to cybersecurity policies, procedures, and expertise.
- Oversight by Boards of Directors of cybersecurity risk and management’s role and expertise in managing that risk, as well as the implementation of policies and procedures.
- New requirements for data protection, including minimum cybersecurity coverage and methodologies.
Further, the SEC is mandating that public companies:
- Establish written cybersecurity plans, policies, and procedures
- Review, document, and enforce access management best practices
- Deploy data protection policies and technologies
- Manage threats and vulnerabilities
- Implement cybersecurity incident response planning and recovery
- Report and disclose cybersecurity incidents
- Formalize cybersecurity responsibility and accountability
These guidelines fit neatly within the industry-recognized several core aspects of cybersecurity risk management (policies and procedures; access management; data protection; vulnerability management; incident response; reporting; and accountability).
The new rules impact investors, executives, boards of directors, and IT security teams.
What information will need to be disclosed under the new SEC cybersecurity regulations?
The SEC has laid out the following proposed guidelines related to disclosure. Companies will need to disclose:
- When a breach took place
- The status of the breach (whether or not it is ongoing)
- The nature and scope of incidents
- Information on stolen, accessed, altered, or unauthorized use of data
- The impact of the incident on business operations
- The status of the related incident response and remediation
Companies will need to disclose incidents where the confidentiality, integrity, or availability of “information assets” has been compromised. In other words, some incidents that weren’t malicious in nature may still need to be disclosed — for example, when private data is exposed as a result of employee error. Other disclosure triggers include:
- Malicious external attacks
- Unauthorized incidents that cause degradation, interruption, or loss of control or damage to a company’s operational technology system (including non-cyberattack activity such as the consequences of a natural disaster)
- Unauthorized access, theft, or the alteration of sensitive data (including personally identifiable information (PII), business plans, or intellectual property that results in loss or liability
- Ransomware incidents that result in stolen data being sold or otherwise distributed (or when a bad actor threatens this kind of activity)
- Ransom demands
Continuous reporting requirements under the new SEC regulations
Organizations impacted by the new regulations will need to provide periodic updates and previously disclosed incidents whenever a material change, addition, or update has occurred, in addition to the original disclosure within four business days of an incident. And, if a series of previously undisclosed, immaterial cybersecurity incidents becomes apparent at any point, companies will need to disclose these incidents in the next periodic report, as well.
The rules would also require public companies to provide details, on an ongoing basis, that “adequately describe the registrant’s policies and procedures, if it has any, for the identification and management of risks from cybersecurity threats.”
Preparing for the incoming SEC cybersecurity regulations with MixMode
The MixMode threat detection platform is uniquely positioned to empower organizations to adapt with the SEC’s new cybersecurity regulations. MixMode offers:
- Threat detection and prevention technology including automated tools and services, including SIEM that leverages third-wave AI to detect anomalous signals
- Vulnerability management for more robust discovery and remediation of malware, backdoors, communication with bot-nets, and malicious web content
- The ability to validate encryption of data in motion as it flows through the network environment
- Tracking capabilities that prioritize and remediate known vulnerabilities
- Tools for conducting penetration tests and IR table-top exercises to measure the speed and effectiveness of the programs and underlying tools, decreasing the MTTR (mean time to repair)
Enhancing your cybersecurity technology stack with the MixMode platform will provide a level of oversight, centralized management, and automation that will elevate legacy and second-wave AI cybersecurity solutions. Learn more about the MixMode platform and reach out today to set up a demo.