Preparing for the New SEC Cybersecurity Reporting Rules

Abstract: New SEC rules require public companies to report cyber incidents and detail cybersecurity governance. This blog explores how the rules change reporting, the need to involve leadership beyond just technology, and how Cymulate products can generate data to showcase strengthening defenses over time. A short read for executives on how to prepare for the upcoming requirements.

Table of Contents

The new SEC rules

Preparing to follow the new SEC rules

Defining process and people, not just technology

Cymulate can help

Beyond the new rules

In July of 2023, the US Security and Exchange Commission (SEC) announced the adoption of new rules around corporate reporting. While the SEC creating and altering rules is not unheard of, these new rules specifically relate to how an organization must report on both any cybersecurity incidents that have a “material impact,” and on the overall cybersecurity resilience of the organization even if no incidents take place during each annual reporting period.

First, a quick review of terminology. Harvard Law School, in an essay on the different versions of “materiality” defines the American idea of the term as:

“A substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote,” or “a substantial likelihood that the disclosure of the omitted fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”

This gives organizations a clear definition of what types of events the SEC is defining as having material impact – events which would, if known by a reasonable investor, be used in their decision-making over their investments.

The New SEC Rules

The SEC’s new rules create reporting requirements specifically around cybersecurity and cyber resilience for all organizations that are publicly traded in US exchanges (like the New York Stock Exchange and NASDAQ). Specifically, these requirements fall into two categories: reporting in the aftermath of a cybersecurity incident, and general information about the cyber resilience of the organization and its governance.

When an organization bound by these regulations suffers any cybersecurity incident that has a material impact, they must – within four business days – file Form 8-K to describe what occurred, and what impact that event is likely to have on the organization and its investors. Since not all information will be known within four business days of an event, the company must also file amended Forms 8-K when new information is available.  There is an exception to this rule: If the US Government agrees that such a filing would pose a risk to national security or pose a significant risk to public safety, the SEC will grant a deferment until those conditions are no longer in effect.

The second component of the new regulations is that organizations bound by it must report in their annual Form 10-K filling information about the cybersecurity governance and resilience of the organization.  This would be required even if the organization does not suffer a cybersecurity incident during the reporting year and includes components such as information about preparedness for cybersecurity incidents, board involvement in the cyber resilience process, and more.

As with any other official US Government filing, purposely supplying false or materially misleading information is a criminal offense. This means that leadership and board members will be very concerned about having everything correct before submitting the filings to regulators.

Preparing to Follow the New SEC Rules

As the rules go (primarily) into effect on December 15, 2023, organizations do not have a lot of time to prepare for the changes to their annual reporting. They must also prepare to file Form 8-K should an incident occur and do so relatively quickly – having only four days to react.  It is in the interest of all publicly traded organizations to prepare now for how they will meet the new reporting requirements later this year.

Defining Process and People, Not Just Technology

These new rules change how many organizations will think about cybersecurity.  Requiring reporting on the process an organization takes to defend against cyber threats – including “… reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents” is vastly different from traditional cybersecurity operations which work in a reactive methodology to block threat activity as it is encountered.  Organizations must define how a potential threat activity that is reasonably known about would impact their organization if it were to be targeted at them, including reporting on processes that would be used to limit damage or define impact.

Additionally, the new rules require annual reporting to “… describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.” In essence, the SEC is now requiring that business leadership, not just technical leadership, is involved in handling cybersecurity.  Senior leadership teams and the board can no longer consider cybersecurity as the sole responsibility of the technology divisions of the organization but must detail how they are personally involved.

Cymulate Can Help

Multiple products provided by Cymulate can aid in satisfying these new regulatory rules.  Using Attack Surface Management (ASM), Breach and Attack Simulation (BAS), and Continuous Automated Red Teaming (CART) all produce reporting that can be used to show how the organization is preparing for threat activity by testing their processes and technologies and remediating discovered weaknesses or gaps while also ensuring that any strengths are preserved and continue defending the organization.  By using these tools over time, organizations can show the effectiveness of cyber resilience programs, and the growth in defensive operations as the threat landscape changes.

Exposure Analytics is a valuable asset in preparing for annual report filing. By linking assets to business contexts, senior business leadership and the board (where required) can see the direct risk to business operations posed by cybersecurity operations, decisions, and actions against known threat activity. Risk scoring provides the ability to view how budgetary and process decisions impact the ability of the business to defend itself and highlight where operations could be disrupted, or critical data lost if key assets remain at high levels of risk for significant periods of time.  Conversely, steps taken to strengthen key areas of defense, modernize or remove legacy platforms, and other operations that strengthen resilience and reduce risk will also be visible for inclusion in these reports, categorized by business context and significance to the organization and its operations.

Beyond the New Rules

Cymulate products can assist in meeting the reporting requirements created by these new rules, but they can also assist in mitigating the fallout of information that becomes public as a result of the rules. If an organization suffers a novel attack, having documentation and data that shows that the organization was preparing for and defending against attack can be invaluable.  Investor and customer confidence can be bolstered if the organization can prove that they were doing everything they could to avoid the attack being successful, and ongoing security control validation with BAS and CART, combined with control of attack surfaces with ASM, can provide that evidence.

Reach out to a Cymulate representative or Partner and set up a demo or Proof of Concept to see how these products can help you on your journey through these SEC rule changes. We’re here to help.

Contact us