What's in the new SEC Rules - December 2023!!

The Securities and Exchange Commission (SEC) requires public companies to report data breaches and hacks within four business days of discovery. Companies must disclose cyber security incidents on a Form 8-K filing. 

The SEC also requires companies to disclose annual information about their Strategy, Governance and Risk Management. SEC directs companies to use the definition of materiality from securities law and it states that information is considered material if a reasonable investor would attach importance like in making an investment decision. 

The SEC's new rules are intended to help clarify the expectations around breach disclosure guidelines and its timelines. It helps to improve Cyber Security Incident disclosure, document Governance, Risk Management and Compliance. It empowers consumers to act quickly and build greater trust in businesses and also protect investors. 

• New SEC rules effective in December 2023 require publicly-traded U.S. organisations to disclose material cybersecurity incidents and address management of cybersecurity risks annually.

• The rules aim to enhance breach-related disclosures, requiring a Form 8-K report within four days of determining the materiality of an incident, detailing its nature, scope, timing, and material impact.

• Organizations are not obligated to provide excessive technical details but must prioritise improved crisis communications for determining incident materiality without disclosing confidential Information.

• These new rules must alert the organisations that do not have an incident response plan or reviewed it regularly.

• Organizations can request a delay in reporting incidents to the SEC if the disclosure presents a significant risk to national security or public safety reasons, consulting the technical teams and referring to the guidelines of Department of Justice.

• Engaging with CyberSecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) during such incidents will not trigger the four day rule and also aids business continuity, recovery and provides insights.

Compliance with SEC rules aligns with best practices, potentially making organisations less susceptible to cyber-incidents and more attractive to investors. Similar to SEC, the new upcoming Cyber Incident Reporting for Critical Infrastructure Act (CIRCA) will have a deadline of 72 hours for reporting the cyber security incidents impacting critical infrastructure. New SEC reporting complements other U.S. incident response regulations, emphasising the importance of taking security maturity and risk management seriously.