The Securities and Exchange Commission (otherwise known as the SEC) proposed some new rules earlier this year that cover a variety of areas near and dear to cybersecurity people. These include cyber risk management and incident disclosure by public companies in the US. The SEC’s requirements often set the tone for startups and other companies that imagine they may be public one day, and lead to knock on effects in other companies too.
So what do the rules cover? A variety of topics and I’ve listed some below. You can find a more legalistic deep dive from Gibson Dunn here, if you are so inclined.
Require current reporting about material cybersecurity incidents on Form 8-K. Form 8-K is used to disclose what are called “material events” that affect the company. These can include acquisitions or the resignation of a member of the board of directors. They now also include cybersecurity events, such as a breach. This makes sense, because information is considered material if it is reasonable to expect that the disclosure of that information will impact the company's stock price. Do stocks go down (or even sometimes up) after cybersecurity events? Oh yes they do!
Require periodic disclosures regarding a variety of cybersecurity issues, including:
Policies and procedures to identify and manage cybersecurity risks.
Management’s role in implementing cybersecurity policies and procedures.
Cybersecurity expertise on the Board of Directors.
The Board’s oversight of cybersecurity risk.
Updates on previously reported material cybersecurity incidents.
This is definitely a big deal and will improve the visibility of cybersecurity across at least public companies in the US. The SEC specifically mentioned “underinvestment in cybersecurity safeguards by smaller organizations” as one of the motivating factors for the new requirements. Let’s hope other regulators are inspired to step in.