With the objective to safeguard investors and uphold effective markets, the United States Securities and Exchange Commission (SEC) has issued a fresh batch of ultimate regulations[1] on July 26, 2023. These regulations have altered the way publicly traded organizations in the U.S. are mandated to reveal data regarding cybersecurity risks, governance, and occurrences.
Particularly, the new regulations necessitate the “disclosure of substantial cybersecurity incidents on Form 8-K and the periodic disclosure of a registrant’s cybersecurity risk management, strategy, and governance in annual reports.”[2] The ultimate regulations are structured to give investors the prompt, uniform, comparable, and valuable information they need to craft well-informed investment and voting choices.[3]
These fresh regulations became operational on September 5, 2023. Reporting prerequisites commenced on December 18, 2023. Smaller reporting entities were granted an additional 180 days for compliance.
Rationale behind the novel cybersecurity disclosure regulations
On December 14, 2023, Erik Gerding, Director of the Division of Corporation Finance at the Securities and Exchange Commission, delivered a speech regarding the SEC’s concluding regulations. During his speech, he highlighted that “malevolent entities frequently and effectively executed assaults on prominent corporations spanning several vital industries throughout 2022 and the initial quarter of 2023, triggering the initiation of multiple reviews by the Department of Homeland Security’s Cyber Safety Review Board.”[4]
The SEC noted the escalating expenses of cybersecurity incidents on corporations and their investors. This was also emphasized in Sophos’ fifth annual investigation of real-world ransomware involvements of organizations in 15 industry sections globally, dubbed the “Sophos 2024 State of Ransomware report[5]”.
As indicated by this study, 59% of organizations had encountered ransomware attacks the previous year. The relentless occurrences of ransomware attacks on entities of all sizes inflict millions of dollars in costs for restoration and counteracting attacks. The average recovery cost from a ransomware attack in 2024 surged to $2.73M from the $1.82M reported in 2023. This accentuates the urgent necessity for robust cybersecurity measures across all sectors, underlining the requirement for enhanced disclosure.[6]
For these reasons, the SEC has enacted fresh regulations that will notify investors about cybersecurity breaches within public organizations and provide insights on how corporations handle cyber hazards. This is aimed at fostering transparency and advancing overall risk governance.
The latest SEC disclosure requisites
The ultimate regulation encompasses two principal prerequisites:
a) Corporations traded publicly should divulge substantial cybersecurity incidents within four (4) business days subsequent to ascertaining the incident’s significance[7]
- Corporates are mandated to disclose the manifestation of a significant cybersecurity incident on the new Item 1.05 of Form 8-K and depict the significant facets of the nature, extent, and timing of the incident, along with the substantial impact or reasonably probable substantial impact of the incident on the entity, comprising its fiscal state and operational outcomes.
- Public entities must deliver the requisite cybersecurity incident disclosure within four (4) business days from when the entity concludes the incident is substantial. The timeline is not four business days following the incident’s occurrence or discovery. This timeframe acknowledges that, in numerous instances, an entity will be unable to establish the significance on the same day the incident is detected.
b) Corporations traded publicly should annually divulge information in their Form 10-K concerning cybersecurity risk management, strategy, and governance[8]
- Corporations traded publicly are required to make annual disclosures in their Form 10-K on Item 106 about their cybersecurity risk management, strategy, and governance.
- The ultimate regulation mandates disclosures by public entities to delineate their management processes for evaluating and managing substantial risks from cyber threats, including, where applicable, the management roles or committees accountable for cyber threats, and their relevant expertise.
The ultimate regulation’s disclosure mandate concerning the board is geared towards elucidating the board’s supervision of risks from cyber threats and, if relevant, identifying any pertinent board committee or subcommittee and detailing how the board or such committee is briefed on those risks. Additionally, the final rule stipulates requisites for disclosure by foreign private issuers[9], and labeling new disclosures as inline structured data.[10]
Definite compliance deadlines
In regards to Item 106 of Regulation S-K and item 16K of Form 20-F, all registrants must provide such disclosures commencing with annual reports for fiscal years culminating on or following December 15, 2023. Concerning compliance with the incident disclosure obligations in Item 1.05 of Form 8-K and in Form 6-K, all registrants excluding smaller reportage entities must commence compliance as of December 18, 2023.[11]
Smaller reportage entities (those owning less than US$250 million in publicly held stock, or those with under $100 million in annual income and less than $700 million in publicly held stock) are granted an additional 180 days beyond the non-smaller reportage entity compliance date before they are obligated to adhere to Item 1.05 of Form 8-K, by June 15, 2024.[12]
The consequences of non-conformance
While the SEC has not yet outlined the specific penalties for breaching the fresh regulations, their enforcement capabilities are extensive. Penalties could soar up to $25 million along with other disruptive actions like desist orders or revocation of trading privileges. More perturbing is the heightened probability of legal actions from investors or stakeholders if corporations neglect to reveal substantial cybersecurity incidents. The SEC’s regulations present a firm foundation for activist investors to contest corporations failing to fulfill their responsibilities.[13]
How can Sophos assist?
As your publicly traded entity makes preparations to comply with the innovative SEC regulations, your inaugural stride should be to conduct a comprehensive evaluation of cybersecurity risks in your IT environment, establish detailed incident response strategies, and deploy solutions and tools that render complete and precise visibility throughout the entire estate and comprehensive reporting promptly and accurately.
Sophos’ array of managed security services and solutions – encompassing Sophos MDR, Sophos Intercept X, Sophos XDR, and Sophos Firewall – form part of the Sophos Adaptive Cybersecurity Ecosystem where they share immediate threat intelligence for quicker and more contextual and synchronized safeguarding, detection, and response.
These offerings are fueled by Sophos X-Ops threat intelligence, a cross-operational collaboration comprising over 500 security experts within SophosLabs, Sophos SecOps, and SophosAI. The solutions are easily manageable within the cloud-native Sophos Central platform,where individuals can obtain insights into their security stance, security inquiries, and cyber hazards through weekly and monthly summaries, real-time notifications, and simple handling via one, user-friendly interface.
Sophos offers various tools to assist in safeguarding against ransomware. You can discover optimal guidance, an anti-ransomware package, a connection to our incident response services, and references to a few of our ransomware-related analyses here. Tailored recommendations on adjusting Sophos items to avert ransomware are also accessible.
To get acquainted with Sophos’s user-friendly security solutions, engage with a Sophos consultant or your Sophos associate today, or explore the Sophos site.
[1] https://www.federalregister.gov/documents/2023/08/04/2023-16194/cybersecurity-risk-management-strategy-governance-and-incident-disclosure
[2] https://www.sec.gov/files/33-11216-fact-sheet.pdf; see also, https://www.sec.gov/newsroom/press-releases/2023-13
[3] https://www.paulhastings.com/insights/ph-privacy/sec-speech-on-cybersecurity-disclosure#:~:text=The%20two%2Dpronged%20approach%20of,disclosure%20of%20a%20public%20company’s
[4] https://www.sec.gov/newsroom/speeches-statements/gerding-cybersecurity-disclosure-20231214#_ftn1
[5] https://assets.sophos.com/X24WTUEQ/at/9brgj5n44hqvgsp5f5bqcps/sophos-state-of-ransomware-2024-wp.pdf
[6] Id.
[7] https://www.federalregister.gov/documents/2023/08/04/2023-16194/cybersecurity-risk-management-strategy-governance-and-incident-disclosure at §§ II.A.3, Appendices B and C.
[8] Id. at §§ II.C.1.c, II.C.2.c, II.C.3.c., Appendix D.
[9] Id. at §§ II.E.
[10] Id. at §§ II.E.
[11] see https://www.federalregister.gov/documents/2023/08/04/2023-16194/cybersecurity-risk-management-strategy-governance-and-incident-disclosure
[12] https://www.sec.gov/files/rules/final/2023/33-11216.pdf
[13] https://www.thomsonreuters.com/en-us/posts/investigation-fraud-and-risk/cybersecurity-disclosure-rules/
About Author
