What is the new cybersecurity reporting law? The US Security and Exchange Commission’s (SEC) primary directive is to protect investors. It regulates the disclosure of market information to promote fair dealings and prevent fraud. For example, publicly traded companies must complete Form 10-K at the end of their fiscal year. The form requires a complete listing of the risks, liabilities, corporate agreements, operations, and market performance. The information keeps investors informed on the internal and external forces that may impact a company’s value.
Events such as a factory fire or a labor strike should be included on Form 10-K because they impact a company’s financial and operational viability. They may also change its strategic direction. With the new SEC cybersecurity rules, public companies must disclose a material cybersecurity incident within days. They must also report on annual assessments of an organization’s cybersecurity governance and risk management efforts.
What is the New Cybersecurity Reporting Law?
The SEC passed its 2023 Guidance in July 2023 that refines its cyber incident reporting requirements. As part of its more robust requirements, the SEC expects companies to:
-
Describe the process for assessing, identifying, and containing cyber security threats.
-
Describe the Board of Director’s oversight of cybersecurity risk management and governance.
The disclosure requirements have been extended to include foreign private issuers.
What Cyber Incidents You Must Report?
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed in 2022. It requires the Cybersecurity and Infrastructure Security Agency (CISA) to implement regulations for reporting cyber incidents and ransomware payments. Following the Cyber Incident Reporting Act, the SEC rules state that registrants must disclose a material cybersecurity incident within four business days of identifying the incident as material. Public companies must identify the materiality of the incident, its scope, and its timing.
Material incidents are events that impact a company’s operations, financials, or strategies. That includes the following factors:
-
Damage to reputation
-
Loss of customer trust
-
Potential litigation or regulatory fines
-
Loss of competitive advantage
The detail should not include technical or procedural details that might compromise countermeasures.
What is Materiality in the SEC Cybersecurity Rules?
The SEC’s existing definition of materiality remains unchanged and is consistent with the definition used under securities law. An incident is material if an investor considers the information significant when making an investment decision. In other words, would investors change their investment strategy regarding a company as a result of the cyber incident?
The SEC cybersecurity requirements state that a filing must be performed within four business days of identifying a material cyber incident, not within four days of the incident. However, the SEC stipulates that the materiality assessment must be conducted without unreasonable delay.
The SEC cybersecurity rules effective date is 30 days after publication in the Federal Register. Registrants must comply with the annual report requirement beginning with fiscal years ending on or after December 15, 2023. Smaller reporting companies must comply no later than June 15, 2024.
What are the Reporting Obligations of Critical Infrastructure?
The US Patriot Act of 2001 identified a set of functions as critical to the security and resilience of the United States. These industries include:
-
Chemical
-
Financial Services
-
Commercial Facilities
-
Food and Agriculture
-
Communications
-
Government Facilities
-
Critical Manufacturing
-
Healthcare and Public Health
-
Dams
-
Information Technology
-
Defense Industrial Base
-
Nuclear Reactors, Materials, and Waste
-
Emergency Services
-
Transportation Systems
-
Energy
-
Water and Wastewater Systems
Companies that are part of the critical infrastructure must comply with the following CIRCIA reporting requirements:
-
You must report cyber incidents within 72 hours of a CIRCIA-defined cyber incident.
-
You must also report ransomware payments no later than 24 hours after making payment.
Reporting of payments and incidents is mandatory.
Need Help with SEC Cybersecurity Reporting Requirements?
Sorting through the pages of any government-related document can take weeks. Understanding how the information applies to your organization can take even longer. The trial-and-error approach to meeting requirements such as the SEC’s latest cybersecurity mandates can be costly.
Trava approaches cyber risk management as a growth strategy for their clients. We help companies establish risk management strategies and develop implementation plans that include meeting reporting compliance. Contact us to discuss how we can help your business comply with the SEC’s new cybersecurity reporting law.
Sources:
www.usa.gov/agencies/securities-and-exchange-commission#
www.sec.gov/files/33-11216-fact-sheet.pdf
www.congress.gov/bill/117th-congress/house-bill/2471/text
www.cisa.gov/sites/default/files/publications/Guide-Critical-Infrastructure-Security-Resilience-110819-508v2.pdf
www.archives.gov/federal-register/laws
Watch a crash course on security and compliance in our video below!
Understanding the Divide Between Security and Compliance
Security involves implementing measures to protect data and systems from unauthorized access. This includes practices like encryption, access controls, and regular vulnerability assessments. Requiring multifactor authentication (MFA) and enforcing strong password policies are basic security practices. Everyone can relate to them in their daily digital lives.
Compliance, on the other hand, refers to adhering to regulations and standards that ensure data security and privacy. Frameworks like SOC 2, ISO 27001, and GDPR provide structured guidelines. Organizations must follow them to show their commitment to protecting data. Compliance is about proving that your security measures meet standards. This builds trust with customers and partners.
It’s important to note that robust security practices form the backbone of compliance. Without strong security, meeting regulatory standards would be nearly impossible. And, it would be hard to keep meeting them.
The Cost Factor of Security Breaches and Compliance
Investing in security and compliance is not just about avoiding fines and legal trouble. It’s also about protecting your company’s reputation and customer trust. Security breaches can lead to significant financial losses due to fines, lawsuits, and data recovery costs. The damage to reputation and loss of customers from a breach can be devastating.
Compliance efforts may seem costly. But, organizations should see them as an investment in trust and risk reduction. Following compliance standards prevents breaches. It also shows customers and partners your commitment to data protection. This enhances your edge in the market.
Security-First Approach for SaaS Startups
Prioritizing security from the outset is crucial for building a resilient SaaS business. A security-first approach involves adding security measures to your development and operational processes. You do this from day one. This proactive stance attracts clients who value data protection. It also fosters a security culture in your organization.
Embed security practices early. It creates a strong foundation and supports compliance later. Regularly updating your security protocols, conducting vulnerability scans, and educating your team about security best practices are essential steps in this journey.
The Security and Compliance Web
While security and compliance are distinct, they are deeply interconnected. Focus on robust security. This sets the groundwork for complying with regulations. This dual focus not only helps in protecting your data and systems but also builds trust with your customers and partners, positioning your SaaS startup for long-term success. Investing in security and compliance is not just a regulation. It’s a strategic move. It can drive growth and customer loyalty.