Does Your MSP Know About the New SEC Cybersecurity Requirements?

In an increasingly interconnected world, where information flows freely across the digital landscape, the importance of cybersecurity cannot be overstated. Recognizing the ever-growing threat of cyberattacks and data breaches, the Securities and Exchange Commission (SEC) has recently adopted new rules that will have a significant impact on public companies and foreign private issuers. 

These rules require registrants to disclose material cybersecurity incidents and provide detailed information about their cybersecurity risk management, strategy, and governance. In this article, we will explore these new SEC cybersecurity requirements and discuss their implications for businesses and Managed Service Providers (MSPs).

Understanding the SEC’s New Rules

On July 26, 2023, the SEC officially adopted rules that mandate the disclosure of material cybersecurity incidents by public companies. This disclosure must also encompass material aspects of the incident, such as its nature, scope, timing, and its impact on the registrant. 

SEC Chair Gary Gensler emphasized that the goal is to make cybersecurity disclosures more consistent, comparable, and decision-useful for both companies and investors. This move aims to benefit all stakeholders in the market.

Under these new rules, registrants are required to disclose material cybersecurity incidents on a new reporting form, known as Item 1.05 of Form 8-K. This disclosure must occur within four business days of determining that a cybersecurity incident is material. However, there is a provision for delayed disclosure in cases where immediate reporting would pose a substantial risk to national security or public safety, as determined by the United States Attorney General.

The Implications for Public Companies

Public companies are now tasked with not only ensuring robust cybersecurity measures but also with the responsibility of promptly reporting and detailing any significant incidents. This means they must have a clear understanding of what constitutes a material cybersecurity incident and the capability to assess its nature and impact accurately.

The new rules also introduce Regulation S-K Item 106, which requires registrants to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. They must also disclose the material effects of these risks and their previous cybersecurity incidents. This extends to describing the oversight of cybersecurity threats by the board of directors and the role and expertise of management in managing these risks.

The Role of Managed Service Providers (MSPs)

MSPs have a crucial role to play in helping public companies comply with the SEC’s new cybersecurity requirements. 

Many companies rely on MSPs to manage their IT infrastructure, including cybersecurity measures. It is imperative for MSPs to be well-versed in these regulations to assist their clients in understanding and meeting their obligations.

MSPs can assist by:

  1. Risk Assessment and Management: MSPs can help companies assess and manage the risks associated with cybersecurity threats. This includes identifying vulnerabilities, implementing preventive measures, and having a plan in place for incident response.
  2. Incident Reporting: MSPs should work closely with their clients to ensure they have a clear process for identifying and reporting material cybersecurity incidents. This includes understanding what information needs to be disclosed and when.
  3. Governance and Oversight: MSPs can collaborate with the board of directors and management to ensure proper oversight of cybersecurity risks. They can help establish best practices and governance structures to meet the SEC’s requirements.
  4. Compliance and Reporting: MSPs should assist in preparing the necessary disclosures and reports required by the SEC. This includes making sure that the information provided is accurate and complies with the regulations.

Stay Ahead of Changing Regulations

The SEC’s new cybersecurity requirements mark a significant shift in how public companies and foreign private issuers must approach and disclose cybersecurity incidents and risks. Managed Service Providers have a pivotal role in helping their clients navigate these new rules. It’s essential for businesses to collaborate with their MSPs to ensure they are well-prepared to meet these requirements, protecting not only their own interests but also those of their investors and the broader market.

For guidance and assistance in complying with the SEC’s new cybersecurity regulations, don’t hesitate to contact us at Digital Crisis. Our experts are ready to help you safeguard your business and meet the new disclosure requirements effectively.

We make IT work

Providing superior, high-quality, and professional IT services 
in the Houston Area.

Digital Crisis LLC

Houston IT Support
Business Hours

Mon-Fri 9 am-5 pm CST
Saturday & Sunday: Closed
Emergency Support: 24/7
Houston Office
5718 Westheimer Rd.
Suite 1000
Houston, TX 77057
Minneapolis Office
333 N Washington Ave Suite 300-9007, Minneapolis, MN 55401
A Houston IT Service Provider
© 2009-2022 DIGITAL CRISIS, LLC  
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram