What is the new cybersecurity reporting law? The US Security and Exchange Commission's (SEC) primary directive is to protect investors. It regulates the disclosure of market information to promote fair dealings and prevent fraud. For example, publicly traded companies must complete Form 10-K at the end of their fiscal year. The form requires a complete listing of the risks, liabilities, corporate agreements, operations, and market performance. The information keeps investors informed on the internal and external forces that may impact a company's value.

Events such as a factory fire or a labor strike should be included on Form 10-K because they impact a company's financial and operational viability. They may also change its strategic direction. With the new SEC cybersecurity rules, public companies must disclose a material cybersecurity incident within days. They must also report on annual assessments of an organization's cybersecurity governance and risk management efforts.

What is the New Cybersecurity Reporting Law?

The SEC passed its 2023 Guidance in July 2023 that refines its cyber incident reporting requirements. As part of its more robust requirements, the SEC expects companies to:

  • Describe the process for assessing, identifying, and containing cyber security threats.

  • Describe the Board of Director's oversight of cybersecurity risk management and governance.

The disclosure requirements have been extended to include foreign private issuers.

What Cyber Incidents You Must Report?

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed in 2022. It requires the Cybersecurity and Infrastructure Security Agency (CISA) to implement regulations for reporting cyber incidents and ransomware payments. Following the Cyber Incident Reporting Act, the SEC rules state that registrants must disclose a material cybersecurity incident within four business days of identifying the incident as material. Public companies must identify the materiality of the incident, its scope, and its timing.

Material incidents are events that impact a company's operations, financials, or strategies. That includes the following factors:

  • Damage to reputation

  • Loss of customer trust

  • Potential litigation or regulatory fines

  • Loss of competitive advantage

The detail should not include technical or procedural details that might compromise countermeasures.

What is Materiality in the SEC Cybersecurity Rules?

The SEC's existing definition of materiality remains unchanged and is consistent with the definition used under securities law. An incident is material if an investor considers the information significant when making an investment decision. In other words, would investors change their investment strategy regarding a company as a result of the cyber incident?

The SEC cybersecurity requirements state that a filing must be performed within four business days of identifying a material cyber incident, not within four days of the incident. However, the SEC stipulates that the materiality assessment must be conducted without unreasonable delay.

The SEC cybersecurity rules effective date is 30 days after publication in the Federal Register. Registrants must comply with the annual report requirement beginning with fiscal years ending on or after December 15, 2023. Smaller reporting companies must comply no later than June 15, 2024.

What are the Reporting Obligations of Critical Infrastructure?

The US Patriot Act of 2001 identified a set of functions as critical to the security and resilience of the United States. These industries include:

  • Chemical

  • Financial Services

  • Commercial Facilities

  • Food and Agriculture

  • Communications

  • Government Facilities

  • Critical Manufacturing

  • Healthcare and Public Health

  • Dams

  • Information Technology

  • Defense Industrial Base

  • Nuclear Reactors, Materials, and Waste

  • Emergency Services

  • Transportation Systems

  • Energy

  • Water and Wastewater Systems

Companies that are part of the critical infrastructure must comply with the following CIRCIA reporting requirements:

  • You must report cyber incidents within 72 hours of a CIRCIA-defined cyber incident.

  • You must also report ransomware payments no later than 24 hours after making payment.

Reporting of payments and incidents is mandatory.

Need Help with SEC Cybersecurity Reporting Requirements?

Sorting through the pages of any government-related document can take weeks. Understanding how the information applies to your organization can take even longer. The trial-and-error approach to meeting requirements such as the SEC's latest cybersecurity mandates can be costly.

Trava approaches cyber risk management as a growth strategy for their clients. We help companies establish risk management strategies and develop implementation plans that include meeting reporting compliance. Contact us to discuss how we can help your business comply with the SEC's new cybersecurity reporting law.

Sources:

www.usa.gov/agencies/securities-and-exchange-commission#

www.sec.gov/files/33-11216-fact-sheet.pdf

www.congress.gov/bill/117th-congress/house-bill/2471/text

www.cisa.gov/sites/default/files/publications/Guide-Critical-Infrastructure-Security-Resilience-110819-508v2.pdf

www.archives.gov/federal-register/laws