Prepare Your Organisation For New SEC Cybersecurity Regulations

On July 26, 2023, the Securities and Exchange Commission (SEC) announced the coming adoption of new regulations requiring public companies to disclose relevant cybersecurity incidents within four business days, providing annual disclosures about their cybersecurity risk management and governance.

These new rules, most of which take effect from December 18, 2023, are designed to enhance and standardise the approach and disclosure of cybersecurity risks and incidents. While this process will aid the cybersecurity landscape in general, the main thrust for these new rules comes from investors who seek more detailed information regarding cybersecurity risks prior to investing in these public companies. 

These rules also require companies to tag their disclosures with Inline Extensible Business Reporting Language (XBRL), a standardised format for reporting financial information, in order to make the disclosures more machine-readable and easier to analyse.

Key Takeaways

While these new regulations are set mainly to affect public companies, every organisation should consider their own cybersecurity posture in the light of these changes.

1. Disclosure of Material Cybersecurity Incidents

Incidents must be disclosed within four business days of confirming their significance, based on a fast and circumstances analysis. The determination considers both quantitative and qualitative factors with no requirements for specific technical details if it hinders the response. 

However, in cases of national security risk, the disclosure deadlines may be extended by the U.S. Attorney General, and the requirements for specific details may be amended. 

2. Annual Cybersecurity Risk Management, Strategy and Governance Disclosure

These companies must annually disclose this information in their annual reports on Form 10-K. This disclosure should include information about the company’s processing for assessing, identifying and managing serious risks from cybersecurity threats. As well as the board of directors’ oversight of cybersecurity risks and management’s role in assessing and managing these risks. 

3. Structured Data Requirements

Cybersecurity disclosures must be tagged with Inline XBRL. This means that companies must provide their disclosures in a standardised format that is easily machine-readable and, therefore, easier to analyse.

4. Compliance Dates 

These rules come into effect on different dates depending on the type of required disclosure. However, organisations must comply with most rules by December 18, 2024. 

5. Implications 

These new rules are a significant step forward in enhancing cybersecurity disclosures and improving transparency for investors. Therefore, these new rules work to bring cybersecurity stance and effectiveness into a public company's value estimation when being considered by investors for the very first time. 

Alongside general profitability and predicted growth, investors will now also consider a company’s cyber defence strategy and effectiveness in this realm as a key value metric to consider, forcing C-Level executives to take cybersecurity seriously, something many CISOs have struggled to achieve for many years. 

“For many CISOs, their day consists of constantly justifying their teams’ value to the C-suite and the board while also filling security gaps caused by any staffing shortfalls.” - Splunk

Vaultree: Innovative Solution Partners

In light of these new regulations, Vaultree and FFDUE™ emerge as powerful solution partners, able to aid organisations in navigating these demands effectively.

Enhanced Risk Management and Strategy

Vaultree and FFDUE’s commitment to enhanced cybersecurity ensures that organisations are provided with a robust, all-encompassing strategy to safeguard against cyber threats. Vaultree’s technology guarantees persistent encryption, even during a breach. This improves risk management capabilities while ensuring C-level executives can confidently oversee cybersecurity risks.

Value Estimation Enhancement

The integration of Vaultree’s solution into an organisation’s data security infrastructure adds a new dimension to a company’s value estimation. Investors, under these new regulations, can now assess a company’s cybersecurity stance and effectiveness. This shift places cybersecurity at the forefront of value metrics, urging C-level executives to prioritise and invest in robust cybersecurity measures.

In conclusion, Vaultree and FFDUE provide comprehensive solutions that not only help companies meet SEC cybersecurity disclosure regulations but also elevate their overall cybersecurity posture, making them more attractive and trustworthy to investors.