In the last week of July 2023, the United States Securities and Exchange Commission (SEC) announced its adoption of new guidelines relating to the disclosure of cybersecurity incidents. This comes at a time when cyber attack incidents and consequent financial losses are at an all-time high, calling for increased awareness at all levels.
The new guidelines require companies, both public and private, to disclose information regarding security incidents including details of their risk management, strategy, and governance measures. The update aspires to enhance and standardize disclosures by organizations that are subject to the reporting requirements of the Securities Exchange Act of 1934. With this, the onus is now on companies to provide their investors with relevant, accurate and timely information, enabling them to make informed decisions.
What is the SEC?
The SEC is an independent agency of the US federal government, created post the 1929 Wall Street crash with the intention to enforce the law against market manipulation. Its operations are five-fold:
- Inform and protect investors – Provides alerts to caution investors about emerging scams along with educational bulletins.
- Facilitate capital formation – Compiles small business resources and fosters engagement with financial technology innovators.
- Enforce federal securities laws – Secures court orders to stop violations, disgorgement of illegal funds, and impose civil penalties.
- Regulate securities markets – Oversees fair markets by regulating market participants like self-regulatory organizations.
- Provide data – Updates open data program, APIs for aggregating financial data, and reporting active broker-dealers.
Why is this a Critical Development?
Cyber attacks, network intrusions, supply chain attacks, and ransomware incidents have become commonplace. The financial sector, industrial sector, and federal governments are among the top categories that have borne the brunt of such attacks. According to research, the global average cost of a data breach reached $4.45 million in 2023 – an all-time high based on a 15% increase over the last three years.
Consequently, cybersecurity governing bodies worldwide have become extremely vigilant in the enforcement of cyber policies. Keeping in line, the US government enforced the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in March 2022, regulating organizations to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). The intention behind these efforts is to spot attack patterns, render assistance to victims and warn potential targets.
The recently adopted rules by the SEC aim to enhance transparency and accountability by requiring companies to disclose both specific incidents and their broader cybersecurity strategies, emphasizing the importance of these issues to investors. It also underscores the increasing importance of cybersecurity considerations in the broader landscape of corporate governance and reporting.
What does this mean for your Organization?
The latest rules put the responsibility on organizations to keep their investors informed of any relevant breaches or data loss issues, in specified formats.
How to comply with the new rules?
- Breach information should be conveyed to investors within four business days of the incident investigation.
- Companies must provide annual insights into their security measures, efforts into risk management, and overall cyber strategy.
- Periodic disclosures must be presented in Inline eXtensible Business Reporting Language (Inline XBRL) within stipulated time periods.
Consequences of Failure to Comply with the New SEC Rule
Failing to abide by the SEC’s rules can result in legal complications and fines. Adhering to the new rules is a must in order to retain existing investors and attract new ones. In 2023 the SEC filed 784 enforcement actions, ordered for $5 billion financial remedies, and distributed $1 billion to harmed investors. The rulings spanned across the security industry, covering billion-dollar frauds and crypto investor threats involving asset securities and cybersecurity. Violators from public companies to social media influencers were charged with protection for investors and whistleblowers.
Some instances where the SEC’s rules were enforced:
- ABB Ltd., a global technology company, agreed to pay a $75 million civil penalty to resolve charges arising out of an alleged bribery scheme.
- Vale S.A., a mining company and one of the largest iron ore producers in the world, were forced to pay $55.9 million combined in a civil penalty, disgorgement, and prejudgment interest to settle charges for allegedly false and misleading disclosures about the safety of its dams prior to a collapse that killed 270 people.
- Goldman Sachs & Co. LLC paid a $6 million penalty to resolve the SEC’s charges for failing to provide complete and accurate securities trading information, known as blue sheet data.
What can Organizations Expect?
Complying with the new SEC rules might require organizations to change the way they have been practicing cybersecurity so far. Companies need to up their game in identifying, assessing, and managing security risks that could affect investors. Here are some influential factors that might affect future organizational practices:
- Adopt a stringent process for identifying, maintaining, and reporting cybersecurity risks and events.
- Consider the risks involved in working with or using third-party resources, especially those having investor or client relationships.
- Reevaluate the preparedness of all organizational teams in reacting to security incidents of all magnitudes.
- Find the balance of identifying security incidents that could be of importance to investors by disclosing enough details to avoid legal repercussions while ensuring no additional risks to the company.
It is also important to note that the rules adopted by the SEC are not exclusive to US companies; they also apply to foreign private issuers. This means that companies based outside the US that are listed on US exchanges are subject to SEC reporting requirements and must comply with these disclosure rules as well.
What does this mean for Investors?
The new SEC rules aim to strengthen the position of investors, pushing them to be completely “aware” of what they are investing in. The compulsory rule to disclose cybersecurity incidents by companies means that investors will now be aware of any significant breach or incident that could impact their strategic decisions. The annual disclosure of cybersecurity information can provide investors with insights into how a company is addressing and managing cybersecurity risks.
In an interesting twist, BlackCat (AlphV) ransomware group filed a complaint with the SEC against its own victim, MeridianLink a US provider of a lending system and digital credit platform for financial institutions, for not keeping the SEC informed of their intrusion!
Let Us Move Towards Responsible Cybersecurity
The importance of transparent and prompt cybersecurity incidents disclosure cannot be overstated in the rapidly evolving digital landscape. Embracing a culture of disclosure not only safeguards organizations but also fosters trust among stakeholders, customers, and the wider community. The interconnected nature of today’s cyber infrastructure demands a collaborative effort in fortifying defenses. As organizations navigate the complexities involved, prioritize the disclosure of incidents and embrace regulations not just as mandates but as essential tools in building the resilience of our security strategies.