To fulfill its objective of safeguarding investors and upholding effective markets, the U.S. Securities and Exchange Commission (SEC) unveiled a fresh collection of ultimate regulations[1] on July 26, 2023. These regulations altered the way in which publicly-traded corporations in the United States are obligated to reveal details concerning cybersecurity hazards, administration, and occurrences.
Specifically, the fresh regulations necessitate the “disclosure of substantial cybersecurity occurrences on Form 8-K and regular disclosure of a registrant’s cybersecurity risk control, approach, and governance in annual reports.”[2] The ultimate regulations are designed to provide investors with well-timed, consistent, comparable, and decision-useful information critical for their investment and ballot decisions.[3]
These brand-new regulations went into effect on September 5, 2023. Reporting necessities began on December 18, 2023. Smaller reporting entities were granted an additional 180 days for compliance.
Rationale behind the innovative cybersecurity disclosure regulations
On December 14, 2023, Erik Gerding, Director, Division of Corporation Finance at the Securities and Exchange Commission presented a discourse on the SEC’s ultimate regulations, emphasizing that “threat actors repeatedly and successfully carried out assaults on eminent companies spanning multiple critical sectors throughout 2022 and the initial quarter of 2023, prompting the Department of Homeland Security’s Cyber Safety Review Board to institute numerous evaluations.”[4]
The SEC recognized that the expenses born by companies and their investors as a result of cybersecurity occurrences have been climbing. This was also evident in Sophos’ fifth yearly examination of the real-world ransomware episodes experienced by organizations across 15 industrial divisions worldwide, under the title “Sophos 2024 State of Ransomware report[5]”.
As per this report, 59% of institutions were struck by ransomware in the previous year. The ongoing incidents of ransomware assaults on entities of all scales inflict millions of dollars in expenses for recovery and remediation. The average cost to recover from a ransomware assault in 2024 increased to $2.73M from the $1.82M reported in 2023. This underscores the immediate requirement for robust cybersecurity measures across all sectors, also underscoring the necessity for enhanced disclosure.[6]
Due to these factors, the SEC has introduced new regulations aimed at informing investors about cyber strikes on public establishments and providing insights on how companies address cyber risks. This is intended to endorse transparency and enhance general risk management.
The recent SEC disclosure demands
The ultimate regulation comprises of two principal stipulations:
a) Publicly-held companies are mandated to reveal significant cybersecurity occurrences within four (4) business days post their determination of materiality[7]
- Mandates that public entities disclose the incidence of a substantial cybersecurity occurrence on new Item 1.05 of Form 8-K and expound on the substantial characteristics of the nature, extent, and timetable of the incident, along with the substantial impact or reasonably probable substantial impact of the incident on the entity, including its financial state and operational outcomes.
- Entities are required to deliver the demanded cybersecurity incident disclosure within four (4) business days subsequent to the entity determining the occurrence to be substantial. The deadline is not four business days post the incident happening or being discovered. This timeframe acknowledges that, in numerous instances, an entity may not be able to ascertain materiality on the same day the incident is uncovered.
b) Publicly-held companies are obligated to yearly disclose details in their Form 10-K pertaining to cybersecurity risk control, approach, and administration[8]
- Compels public entities to make annual disclosures in their Form 10-K concerning Item 106 on their cybersecurity risk control, approach, and governance.
- The ultimate regulation necessitates disclosures by publicly-held entities to delineate their managerial procedures to evaluate and manage substantial risks stemming from cybersecurity menaces, including, where relevant, the positions or panels within the management accountable for cybersecurity threats, along with their pertinent expertise.
The mandate in the ultimate regulation concerning the board is concentrated on describing the board’s supervision of risks from cybersecurity menaces and, where appropriate, determining any relevant board committee or subcommittee and detailing how the board or such committee stays informed of such risks. The ultimate regulation likewise sets conditions for disclosure by foreign private issuers[9], and tagging new disclosures as inline structured data.[10]
Distinct compliance dates
With regard to Item 106 of Regulation S-K and item 16K of Form 20-F, all registrants must furnish such disclosures commencing with annual reports for fiscal years ending on or after December 15, 2023. Concerning compliance with the incident disclosure prerequisites in Item 1.05 of Form 8-K and in Form 6-K, all registrants, except for smaller reporting entities, must commence compliance as of December 18, 2023.[11]
Lesser reporting entities (those owning less than US$250 million worth of publicly held stock, or those having less than $100 million annual income and less than $700 million in publicly held stock) are being afforded an additional 180 days from the non-lesser reporting entity compliance date before they are required to commence compliance with Item 1.05 of Form 8-K, by June 15, 2024.[12]
The implications of non-compliance
Despite the fact that the SEC has not yet delineated precise penalties for breaching the new regulations, their enforcement capabilities are extensive. Penalties could escalate up to $25 million alongside other disruptive measures such as cease-and-desist orders or suspension of trading privileges. More disconcerting is the heightened probability of legal actions from investors or stakeholders if entities neglect to disclose significant cybersecurity incidents. The SEC’s regulations offer a robust foundation for activist investors to contest entities that fall short of meeting their obligations.[13]
Ways in which Sophos can be of assistance
As your publicly-held entity prepares to adhere to the latest SEC policies, your initial move should be conducting a comprehensive evaluation of your IT environment’s cybersecurity risks, formulating detailed incident response strategies, and implementing solutions and utilities that deliver complete visibility across the entire estate and thorough and timely reporting.
Sophos’ suite of managed security services and solutions – encompassing Sophos MDR, Sophos Intercept X, Sophos XDR, and Sophos Firewall – are integral components of the Sophos Adaptive Cybersecurity Ecosystem, where they share up-to-the-minute threat intelligence for quicker, context-rich, and synchronized protection, detection, and response.
These offerings are supported by Sophos X-Ops threat intelligence, a cooperative operational effort involving over 500 security specialists within SophosLabs, Sophos SecOps, and Sophos AI. Solutions are effortlessly managed on the cloud-native Sophos Central platform,where individuals can access insights into their security stance, security inquiries, and cyber risks using weekly and monthly summaries, instant alerts, and convenient management via a single, user-friendly interface.
Sophos provides various tools to assist in safeguarding against ransomware. You can discover valuable advice on best practices, an anti-ransomware kit, a connection to our incident response services, and references to several of our ransomware-related studies over here. Detailed recommendations on configuring Sophos products to thwart ransomware are also accessible.
If you wish to delve deeper into Sophos’s straightforward security solutions, get in touch with a Sophos consultant or your designated Sophos associate now, or head to the Sophos website.
[1] https://www.federalregister.gov/documents/2023/08/04/2023-16194/cybersecurity-risk-management-strategy-governance-and-incident-disclosure
[2] https://www.sec.gov/files/33-11216-fact-sheet.pdf; also see, https://www.sec.gov/newsroom/press-releases/2023-13
[3] https://www.paulhastings.com/insights/ph-privacy/sec-speech-on-cybersecurity-disclosure#:~:text=The%20two%2Dpronged%20approach%20of,disclosure%20of%20a%20public%20company’s
[4] https://www.sec.gov/newsroom/speeches-statements/gerding-cybersecurity-disclosure-20231214#_ftn1
[5] https://assets.sophos.com/X24WTUEQ/at/9brgj5n44hqvgsp5f5bqcps/sophos-state-of-ransomware-2024-wp.pdf
[6] Id.
[7] https://www.federalregister.gov/documents/2023/08/04/2023-16194/cybersecurity-risk-management-strategy-governance-and-incident-disclosure at §§ II.A.3, Appendices B and C.
[8] Id. at §§ II.C.1.c, II.C.2.c, II.C.3.c., Appendix D.
[9] Id. at §§ II.E.
[10] Id. at §§ II.E.
[11] refer to https://www.federalregister.gov/documents/2023/08/04/2023-16194/cybersecurity-risk-management-strategy-governance-and-incident-disclosure
[12] https://www.sec.gov/files/rules/final/2023/33-11216.pdf
[13] https://www.thomsonreuters.com/en-us/posts/investigation-fraud-and-risk/cybersecurity-disclosure-rules/
About Author
