In today's fast-paced digital landscape, where cyber threats lurk around every corner, staying ahead of the curve is not just a luxury—it's a necessity. And guess what? The U.S. Securities and Exchange Commission (SEC) just upped the ante on July 26, 2023 in a 3-2 vote. If you're a public company, their latest move is something you can't afford to ignore regarding your financial compliance. Today, we're diving deep into the SEC's new cybersecurity disclosure rules. Let's unravel what this means for you and how you can leverage it for success.
The Digital Age's Newest Curveball
The digital revolution has been a double-edged sword. On one side, we've got unparalleled growth opportunities, and on the other, an ever-evolving array of cyber threats. Recognizing this, the SEC, in a groundbreaking move, has rolled out a set of rules that are set to redefine transparency in the corporate world. These rules, which came into effect on July 26, 2023, are all about ensuring public companies (yes, that includes foreign private issuers) are crystal clear about their cybersecurity incidents and their strategies to tackle them. And while this rule has been in the pipeline since March 2022, its final form is a game-changer. Let's break it down.
Material Cybersecurity Incidents: The Need for Speed and Transparency
In the world of file sharing and file transfer, we talk about the importance of speed and transparency with your team members. Guess what? The same principles apply here. The new rules add a new item regarding disclosure. Here are the 4 items you need to know about Item 1.05 on Form 8-K (the form itself announces major events your shareholders should be aware of).
Timing is Everything
Just discovered a cybersecurity incident? The clock's ticking. Companies now have to assess the gravity of an incident "without unreasonable delay" and make a disclosure within four (4) business days. This shift is all about giving companies that crucial window to assess and act.
Scope and Clarity
When it comes to disclosure, it's not just about the 'what' but also the 'how.' Companies need to be upfront about the nature, extent, and implications of the incident. And if you're still gathering intel, that's okay—just ensure you update your stakeholders with a Form 8-K amendment within four (4) business days of the information becoming available.
Exceptions? There’s a Catch
You might be thinking, "Can I delay the report?" Well, only in super rare cases. The big exception? If the Attorney General steps in and says, "Hey, disclosing this could put national security or public safety at risk." But here's the catch: getting that green light from the Department of Justice within those 4 days? Not a walk in the park.
Realistically, only in extreme cases will the Department of Justice give that nod. And for those companies that are tight with U.S. national security agencies (such as defense contractors), some incidents might be so top-secret that they're left out of the disclosure altogether. So, always be on your toes and make sure you’re preparing your incident report in parallel to asking for an exception if you decide it’s worth the effort.
Broad Definition of “Cybersecurity Incident”
The rulebook's got a pretty wide net on this one. Think of their definition of a cybersecurity incident as any unexpected event, whether it's a one-off or a series, that messes with the safety or access of your company's digital data. And guess what? It's not just about your own systems. Even if you're using third-party platforms, such as Sharetru for file sharing and file transfer, they're in the mix too. Oh, and a little side note from the SEC: even if something happens by accident, it's still 'unauthorized.' The key takeaway? Always be on the lookout and assess if an incident might have a big impact down the road."
Risk Management and Governance: It's All About Strategy
Remember when terms like 'risk management' and 'governance' were tossed around in boardrooms and executive meetings, often without much action? Well, those days are gone. Now, they're not just buzzwords that are worth discussing; they've taken the spotlight. The landscape is changing, and if you're not adapting, you're falling behind. So, let's deep dive into these shifts and uncover how they're not just tweaking but totally transforming the playbook for businesses like yours.
Risk Management for Cybersecurity
The final rule, while not as demanding as the initial proposal, still wants you to spill the beans on how you handle cybersecurity risks.
Thinking of keeping some processes under wraps? Think again. If your methods aren't up to par with the final rule or seem a tad weaker than your competitors, you might want to give them a makeover before making them public. And here's a pro tip: Make sure you're clear about how you're teaming up with third parties to manage risks. Got a system to keep tabs on risks from third-party providers? Great, highlight that. And don't forget to clarify who's calling the shots on cybersecurity – your board or the management team.
Oh, and a quick side note: While there's no mandate (yet) to disclose if your board members are cybersecurity pros, it's something the SEC might have on their radar. So, stay informed, stay ahead, and always keep refining your cybersecurity strategy!
Risk Management for Disclosure
Remember those times when companies would disclose certain cybersecurity details only to regulatory bodies and affected customers? Well, the game's changed. With the new rules in place, any information you disclose in an SEC filing is now under the microscope. And guess what? This magnified scrutiny comes with its fair share of risks, from potential regulatory actions to lawsuits.
Here's the tricky part: You've got to craft your disclosures just right. It's a balancing act—being transparent without unintentionally flashing a neon sign to cyber attackers about your vulnerabilities. Sure, you don't need to get into the nitty-gritty technical details, but as Commissioner Peirce pointed out, even general info could give hackers a roadmap.
The good news? The rules give companies some breathing room to assess the gravity of cybersecurity incidents. But a word to the wise: don't rush when drafting those Form 8-K disclosures. Get your internal and external experts on board early. And while you're at it, give your cybersecurity playbook a once-over to ensure it aligns with your annual risk management and strategy disclosures.
Governance in the Spotlight
It's not just about the 'how' but also the 'who.' The SEC wants to know who's calling the shots when it comes to cybersecurity. This means detailing your board's role, the committees in charge, and how they're staying in the loop. This helps if your responsibilities are delineated within third-party systems, or you’ve integrated a Single Sign-On (SSO) platform to assist your IT team in providing only specific access by specific individuals in specific platforms.
A Short Summary of the New Rules
Let's simplify things a bit. Below, I've distilled the essence of the new rule into some easy-to-digest bullet points. Whether you're a seasoned pro or just getting started, these highlights will give you a clear snapshot of what's in store.
Quick Action Required: Companies need to report significant cybersecurity incidents on Form 8-K within just 4 business days after determining its importance.
Yearly Check-ins: Every year, on Form 10-K, companies have to:
Share insights into their strategies for managing cybersecurity risks.
Highlight their processes for tackling cybersecurity threats.
Disclose if cyber threats have had a significant impact on them.
Who's in Charge? Also, in the annual Form 10-K:
Companies need to shed light on their cybersecurity governance.
This includes detailing how the board and management oversee these risks.
Global Reach: For our international friends, these annual disclosures also pop up in Form 20-F. And any major cybersecurity incidents? They'll be spotlighted in Form 6-K.
Check out the official release right here. And for a quick snapshot, the SEC's got a handy Fact Sheet waiting for you here. Mark your calendars, because 30 days after it hits the Federal Register, this rule goes live.
Next Steps: Navigating the New Normal
Change, while inevitable, can be daunting. But with the right strategy, it's an opportunity in disguise.
Revisit and Revamp
Just like Google's ever-changing algorithms, these new rules mean it's time to revisit your cybersecurity playbook. Ensure your teams are in sync, and your processes are watertight.
This is all about adapting to new challenges. The new rules, while comprehensive, come with their set of challenges. But with a proactive approach, they're nothing you can't handle.
Risk Management 2.0
For some, this might mean going back to the drawing board. But remember, a robust cybersecurity strategy isn't just about compliance—it's about safeguarding your brand's reputation.
How Sharetru Supports the New SEC Cybersecurity Rules
In light of the recent SEC regulations on cybersecurity disclosure for public companies, it's crucial for businesses to align with these mandates. As a leading platform for file transfer and file sharing in the cybersecurity domain, we’re at the forefront of ensuring that companies not only comply with these new rules but also enhance their overall cybersecurity posture. Here’s the top 5 ways we help you comply:
1. Prompt Disclosure of Material Cybersecurity Incidents
Sharetru's advanced platform monitoring systems (HIDS, IPS, Virus and Malware Protection, and others) promptly detects and reports any material cybersecurity incidents which we make known to our customers. This ensures that companies can make timely disclosures to their end clients and shareholders, in line with the SEC's requirement of reporting within four business days of determining an incident's materiality.
2. Comprehensive Cybersecurity Risk Management and Strategy
Sharetru offers a robust framework that aids companies in assessing, identifying, and managing material risks from cybersecurity threats while using our platform. With our Advanced Security and Compliance Platform, the IaaS, PaaS, and SaaS are SOC 2 Type II certified, with the IaaS and PaaS having an additional FedRAMP moderate authorization. This aligns with the SEC's emphasis on detailing a company's processes for managing threats. Moreover, Sharetru's platform seamlessly works alongside a company’s SIEM platform by integrating the logs through SFTP transfer, ensuring the logs are encrypted while in transfer, and a holistic approach to cybersecurity.
3. Governance and Oversight
Sharetru provides tools that facilitate board-level oversight of cybersecurity risks. Through its dashboard and reports, cybersecurity and IT team members can gain insights into how the company's using Sharetru, delineate roles when administering the platform, and ensure that they are well-informed and can make strategic decisions in line with the SEC's governance disclosure requirements.
4. Easy Collaboration with Third-party Assessors
Recognizing the value of third-party assessments, Sharetru provides easy access for administrators to file transfer logs, administrator logs, additional reporting, and compliance requests. This ensures that companies have a comprehensive view of their cybersecurity landscape, meeting the SEC's criteria for third-party engagements.
5. Continuous Updates and Compliance Checks
With the dynamic nature of cybersecurity threats and evolving regulations, Sharetru ensures that its platform is always updated. Regular compliance checks ensure that companies remain in line with the latest SEC mandates, reducing the risk of non-compliance.
In conclusion, the SEC's latest move is a testament to the ever-evolving digital landscape. Staying updated is the key to success, and the same applies here. So, gear up, stay informed, and remember—every challenge is an opportunity waiting to be seized. If you found this insightful, don't forget to share it with your network. As the SEC tightens its regulations around cybersecurity disclosures, platforms like Sharetru are instrumental in ensuring that companies not only comply but also adopt best practices in cybersecurity. With its comprehensive suite of tools and services related to file transfer and file-sharing, Sharetru is the go-to solution for businesses aiming to align with the new SEC rules and enhance their cybersecurity resilience.
Arvind is Director of Compliance and Programs at Sharetru. He came to Sharetru with 11+ years of experience in offering cloud solutions to the Federal Government and public sector channels at companies such at Rackspace, IBM, UNICOM, A10 and Radware Alteon. He is based in the Washington, D.C. area.