In an increasingly interconnected world, where information flows freely across the digital landscape, the importance of cybersecurity cannot be overstated. Recognizing the ever-growing threat of cyberattacks and data breaches, the Securities and Exchange Commission (SEC) has recently adopted new rules that will have a significant impact on public companies and foreign private issuers.
These rules require registrants to disclose material cybersecurity incidents and provide detailed information about their cybersecurity risk management, strategy, and governance. In this article, we will explore these new SEC cybersecurity requirements and discuss their implications for businesses and Managed Service Providers (MSPs).
On July 26, 2023, the SEC officially adopted rules that mandate the disclosure of material cybersecurity incidents by public companies. This disclosure must also encompass material aspects of the incident, such as its nature, scope, timing, and its impact on the registrant.
SEC Chair Gary Gensler emphasized that the goal is to make cybersecurity disclosures more consistent, comparable, and decision-useful for both companies and investors. This move aims to benefit all stakeholders in the market.
Under these new rules, registrants are required to disclose material cybersecurity incidents on a new reporting form, known as Item 1.05 of Form 8-K. This disclosure must occur within four business days of determining that a cybersecurity incident is material. However, there is a provision for delayed disclosure in cases where immediate reporting would pose a substantial risk to national security or public safety, as determined by the United States Attorney General.
Public companies are now tasked with not only ensuring robust cybersecurity measures but also with the responsibility of promptly reporting and detailing any significant incidents. This means they must have a clear understanding of what constitutes a material cybersecurity incident and the capability to assess its nature and impact accurately.
The new rules also introduce Regulation S-K Item 106, which requires registrants to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. They must also disclose the material effects of these risks and their previous cybersecurity incidents. This extends to describing the oversight of cybersecurity threats by the board of directors and the role and expertise of management in managing these risks.
MSPs have a crucial role to play in helping public companies comply with the SEC’s new cybersecurity requirements.
Many companies rely on MSPs to manage their IT infrastructure, including cybersecurity measures. It is imperative for MSPs to be well-versed in these regulations to assist their clients in understanding and meeting their obligations.
MSPs can assist by:
The SEC’s new cybersecurity requirements mark a significant shift in how public companies and foreign private issuers must approach and disclose cybersecurity incidents and risks. Managed Service Providers have a pivotal role in helping their clients navigate these new rules. It’s essential for businesses to collaborate with their MSPs to ensure they are well-prepared to meet these requirements, protecting not only their own interests but also those of their investors and the broader market.
For guidance and assistance in complying with the SEC’s new cybersecurity regulations, don’t hesitate to contact us at Digital Crisis. Our experts are ready to help you safeguard your business and meet the new disclosure requirements effectively.