The SEC’s Revised Cybersecurity Rules Have Global Reach
August 01, 2023
If your company is publicly traded in the U.S. — whether headquartered in the U.S. or abroad — new cybersecurity and disclosure rules apply.
The global cyber threat landscape is a dark and foreboding place. The average cost of a ransomware attack globally is USD5.13 million, which does not include the cost of the ransom, and the average cost of a data breach in the United States is USD9.48 million.1 Beyond financial risk, a cyber incident’s potential to disrupt operations and damage reputation keeps organizations on edge.
The Securities and Exchange Commission (“SEC”) is shining a light into the landscape. On July 26, 2023, the SEC adopted amendments to its 2018 rules on cybersecurity risk management, strategy, governance and incidence disclosure by public companies.2 The goal of the new rules, according to an earlier press release about the amendments, is to “better inform investors” and “strengthen [their] ability to evaluate public companies’ cybersecurity and incident reporting.”3
Any public company doing business in the United States will need to assess its cybersecurity stance to make sure it is in compliance with the amendments. Depending on their cyber maturity, some may already be headed in that direction and simply need to refine their adherence to the 2018 rules. Others may need to make significant adjustments or changes to their cybersecurity strategy. The new rules could have a profound impact on risk management programs, through material incident reporting and board oversight and accountability requirements.
For companies headquartered abroad but listed in the United States, especially those with a less mature cyber stance in their home countries, the amendments could be a real game changer for two reasons: 1) they present an opportunity for the company to strengthen its cybersecurity infrastructure at home by aligning with U.S. standards, commonly seen as the highest in the world; and 2) this could be a market differentiator for the organization.
The Intent of the Rules
The new rules are significant and they require companies to concentrate efforts in three primary areas:4
Increased Transparency for Investors
Organizations must report material cybersecurity incidents and data breaches within four days. They will also need to provide information and updates regarding previously disclosed incidents on a quarterly basis.
- Enterprise Risk Management Gains Importance
Organizations must adopt policies and procedures (i.e., controls) to mitigate cyber risk. The required key controls include security risk assessments, access controls, continuous monitoring, detection and response, vulnerability management and vendor risk management.
- Boards that Are Fit for the Future
Organizations are required to disclose summary descriptions of their cyber risk and how much oversight the board and management have on cybersecurity risk. This includes the cybersecurity expertise of management and board members, and descriptions of policies and procedures for the identification and management of cyber risks.
The demand for transparency and accountability inherent in the new rules represents a trend familiar in corporate ESG reporting, where cybersecurity is rapidly becoming an essential component of corporate governance. As more stakeholders, including investors, organizations, employees, clients and media, inquire into an organization’s ESG accountability, expectations that a company will protect and defend against cyber risks, and report incidents promptly, become front and center to maintaining public trust.5
Regulators, governments and investors are looking closely at an organization’s cybersecurity governance and, in some cases, demanding oversight at the board level. In today’s digitized business environment, the existential threat of an incident means cybersecurity must be proactively managed, factored into all decisions and considered a business risk just like any other.
Get Ready Now
Integrating cybersecurity into corporate governance is the key to compliance and provides greater flexibility as new rules come down the pike. The starting place for integration for any organization lies in these three critical areas:
- Training and Communication
Organizations will need to update how they prepare and process disclosure forms to include the relevant information related to cybersecurity governance, risk management and data breaches. Is the board up to speed on current cybersecurity threats and emerging trends? Is it working in concert with other stakeholders on priorities, security initiatives and investments?
- Cybersecurity Program Assessment
An organization must have a thorough understanding of its cybersecurity stance prior to implementing or changing processes. Are security policies up-to-date? How are they managed, implemented and enforced? Penetration testing can go a long way: Knowing where your critical assets are at risk and where your attackers might come from — whether inside or outside the organization — is key to strengthening your infrastructure.
- Incident Response
Being ready for cyber threats is fundamental to the success of an incident response program. This includes selecting and implementing controls based on the results of a risk assessment to limit the number of potential incidents your organization may face. Even after controls are in place, residual risk remains that requires an early detection system. In addition, it is critical to perform incident tabletop exercises to practice and perfect response procedures to be able to communicate relevant details within the required timeframes.
No matter where an organization is headquartered, the SEC rules will have a major impact on all publicly traded companies in the United States. Seizing the moment now to factor cybersecurity into corporate governance will better position companies to walk in the SEC’s light.
Kyung Kim, Senior Managing Director in FTI Cybersecurity, contributed to this article.
1: “Cost of a Data Breach Report 2022: A Million-Dollar Race to Detect and Respond.” IBM (July 2022). https://www.ibm.com/reports/data-breach.
2: “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies.” U.S. Securities and Exchange Commission (July 26, 2023). https://www.sec.gov/news/press-release/2023-139
3: “SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies.” U.S. Securities and Exchange Commission (March 9, 2022). https://www.sec.gov/news/press-release/2022-39.
4: Vanessa A. Countryman. “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.” U.S. Securities and Exchange Commission (March 9, 2022). https://www.sec.gov/rules/proposed/2022/33-11038.pdf.
5: Sonita Lontoh. “ESG: An Authentic Multi-Stakeholder Approach To Create Long-Term Sustainable Value.” Forbes (September 2, 2022). https://www.forbes.com/sites/forbescommunicationscouncil/2022/09/02/esg-an-authentic-multi-stakeholder-approach-to-create-long-term-sustainable-value/?sh=70eff03e4ee7.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
About The Journal
The FTI Journal publication offers deep and engaging insights to contextualize the issues that matter, and explores topics that will impact the risks your business faces and its reputation.