New SEC Cyber Security disclosure rules represent a paradigm shift in regulations

23rd August 2023

The US Securities and Exchange Commission's (SEC) new cybersecurity disclosure rules signify a substantial shift in the regulatory landscape, compelling businesses to recalibrate their approach to cybersecurity risk management.

The imperative of corporate cybersecurity has metamorphosed from nice to have to an absolute must have. The SEC have been forced to act as the organisations it regulates have consistently underreported losses stemming from cyber breaches. Historically all businesses have routinely underestimated the gravity of cybersecurity risks, but as the sophistication of cyber-attacks increases so do the profound implications, reverberating across operations, reputation, and the bottom line.

Corporations' proactive strategies against cyber incursions now wield profound implications, reverberating across operations, reputation, and the bottom line. Historically, businesses have routinely underestimated the gravity of cybersecurity risks, prompting the SEC to censure their consistent underreporting of consequential losses stemming from cyber breaches. The SEC has enacted measures that go beyond mere cognisance of cybersecurity vulnerabilities. Now firms are obligated to confront these risks head-on, proactively overseeing them on behalf of stakeholders, and swiftly disclosing incidents.

The SEC's new disclosure rules mandate a culture of accountability and transparency. Following the lead of the Monetary Authority of Singapore and the UK’s Information Commissioner's Office firms are now compelled to divulge significant cybersecurity incidents within four business days. However, the SEC have gone much further and will also require firms to intermittently disclose their cybersecurity risk management, strategy, and governance within annual reports. This heralds a revolutionary regulatory pivot, necessitating companies to substantially revise their approach to cybersecurity risk management—an indication of the escalating recognition of cybersecurity's integral role in robust corporate compliance.

The recently introduced Form 8-K Item 1.05 stipulates the disclosure of "material cybersecurity incidents," encompassing facets such as the incident's nature, scope, timing, and ramifications on operations, revenues, even corporate valuations. In addition, the new Regulation S-K Item 106 mandates comprehensive disclosures about cybersecurity risk management, strategy, and governance. In practical terms this means from now on firms are required to delineate their methodologies for "assessing, identifying, and mitigating significant risks emanating from cybersecurity threats," including whether any such risks have adversely impacted or are likely to impact the entity.

This seismic shift from the SEC's prior regulatory framework underscores the pivotal obligation for companies to meticulously document their cybersecurity programmes. Whilst this might show clear leadership from a regulatory standpoint, it has the potential to provide a foundation from which to hold firms liable for inadequate risk management, a boon for the legal profession, but oversharing cybersecurity strategies and tools could hand the blueprints for a firm’s cybersecurity directly to the criminals wanting to exploit them. This means that there are going to be formidable challenges in fulfilling the requirements.

The new disclosure rules bring with them a host of compliance challenges. The most striking of which is board accountability. Item 106 mandates a description of board oversight concerning cybersecurity risk, and management's role in mitigating these threats. The hope of the SEC is that the new disclosure rules will compel boards to move from seeing cybersecurity as merely regulatory paperwork to actual board engagement.

It is with this in mind that Remora have developed a cybersecurity programme that enables firms to produce filings that strike an equilibrium between adherence to the rules whilst safeguarding against inadvertently divulging technical minutiae that cyber criminals might exploit. And as a leading cyber incident response practitioner Remora are well versed in the quandary of when, what, even whether to disclose cyber threats and have always worked on the principle that it is important not to inadvertently empower threat actors, potentially jeopardising remedial measures. Remora can help you to harmonise stringent compliance requirements with safeguarding sensitive information necessitates a judicious equilibrium.

Remora are also aware that conforming to these regulations will entail a significant resource allocation, demanding additional bandwidth from internal security teams, something that can be easily outsourced to Remora without impacting your ability to comply with the regulations.

Remora have the experience within the alternative investment space to help firms navigate their rethinking of cybersecurity compliance strategies. We have designed a cyber security programme that will enable firms to substantiate regulatory compliance while enhancing overall cybersecurity posture.