Top Takeaways from the SEC’s New Rules on

On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) released its new set of rules on Cyber Incident Management and Reporting.

In a news release titled “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies”, the organisation has mandated several new norms for how publicly traded companies must report and manage cybersecurity events. 

We break down all the information that’s currently available and consolidate it for you in this article. Here’s a look at the key takeaways and what they mean for U.S-listed companies. 

#1. Publicise cyber-attacks within 4 days of determining their material impact  

As per the new rules, companies registered with the SEC must disclose any cybersecurity incident within 4 days of determining its ‘reasonably likely material impact’. They also have to disclose the nature of the attack, its scope and timing. The only case in which the disclosure may be delayed is if it is determined that this could impact national security and/or public safety. 

This rule, proposed in 2022, has now come into effect and is a welcome move. It requires greater transparency from organisations when it comes to how they handle cyber attacks and data breaches. 

Improved Cyber Incident Planning and Response has become critical with the new rule coming into effect. Public companies in the U.S will now be required to have a streamlined and effective Incident Response and Management policy if they are to achieve compliance with the new SEC rules. 

Oganisations in the U.S. will have to invest greater resources in ensuring they have repeatable, relevant and properly rehearsed Cyber Incident Response Plans and Incident Response Playbooks that they can fall back on for speedy reporting and management

Our CEO, Amar Singh adds, “The new rules will prompt businesses in the U.S to pay more focussed attention on their Cyber Incident Response capabilities and overall cyber resilience. In the U.K, we’ve helped several clients to become capable of responding effectively to and reporting incidents in 72 hours (as mandated by the EU GDPR). With regular compliance initiatives and Tabletop Testing of Cyber Incident Response Plans and Playbooks, reporting incidents with material impact in 4 days should become a part of the muscle memory even for U.S. based organisations.” 

“This is definitely a step in the right direction. The increase in number and complexity of attacks each year does erode financial capital and deeply impacts privacy and personal information security of a vast number of individuals. But for many years we’ve seen inertia amongst U.S organisations in informing their customers and shareholders in time even after major attacks. Enforcing stringent reporting and encouraging greater transparency is certainly called for in the current threat landscape.”