The SEC cyber rules go live
On December 18th, 2023 the Securities and Exchange Commission (SEC) officially rolled out their new cybersecurity disclosure rules. The SEC’s move has sparked pushback from companies and lawmakers who argue that the prescribed timelines are overly restrictive.
We’ve envisioned this level of tension and have been offering the community guidance on how to get ahead of the rules by leveraging Pragmatic Cyber Risk Management.
A quick recap of the core elements of the SEC cyber rules
Under the updated regulations, companies experiencing significant cyber breaches, including data breaches or ransomware incidents, must report these events within four business days. Initially applicable only to companies concluding their fiscal years on the day the rules were announced, this requirement aims to ensure a prompt and transparent response to cyber incidents.
In addition to incident reporting, companies must provide an annual cybersecurity report card. This comprehensive report includes details on cyber risk management strategies, board oversight, and the specifics of past breaches. Foreign private issuers are subject to analogous disclosure rules, ensuring a uniform approach to incident reporting and annual reports.
There’s been pushback about the SEC Cyber Rules
Despite industry lobbying for more lenient timelines, companies argue that the four-day window is insufficient for a thorough assessment and timely disclosure during a cyber incident—some advocate for the adoption of quantitative models and pre-testing to facilitate compliance.
Efforts to secure national security and public safety exemptions have faced resistance from top officials at the Department of Justice, the Cybersecurity and Infrastructure Security Agency (CISA), and the FBI. Exemptions, if granted, allow a maximum of 120 additional days before public disclosure.
Lawmakers express discontent with the new rules, with Chair Andrew Garbarino and Ranking Member Eric Swalwell criticizing them at a recent House Homeland Security cyber subcommittee hearing. Garbarino has taken the unusual step of introducing a congressional procedure to overturn the SEC policy.
For the C-Suite, the new rules introduce a landscape marked by tight disclosure deadlines, limited exemptions, and potential scrutiny from the SEC, as the corporate sector grapples with the implementation of these stringent cybersecurity measures.
In a recent article on 2024 cybersecurity predictions, Axio CEO Scott Kannry shared his two cents on how the CISO/CSO role will evolve in 2024. “CISOs will assume an elevated position in the boardroom in 2024 – whether they like it or not. 2023 saw a tectonic shift in the role of the CISO, highlighted by the SEC’s cyber rules and the latest SEC actions against SolarWinds. The SolarWinds case is big news, resulting in negative commentary directed at the SEC. SolarWinds itself warned that the SEC’s actions will be damaging to the cybersecurity profession.”
“The reality is that cybersecurity will take its place in an organization’s fiduciary responsibilities in 2024, making the individual ultimately responsible for cybersecurity on the same plane as CFOs, CEOs, and the other directors and officers of the organization (who are covered by D&O Liability Insurance).”
Want to stay up to date on the latest Axio event? Sign up for our newsletter.