What the SEC Cybersecurity Rules Mean for Midsize Organizations

A significant cybersecurity event can have enormous financial impact on an organization, including both direct costs and indirect costs. Direct costs can include remediation expenses, legal and regulatory fines, and investigations and forensics. Indirect costs include reputational damage and business disruption.

A company’s value is also commonly affected. SolarWinds lost 40 percent of its market capitalization after its 2020 breach; by one estimate, “insured losses” totaled $90,000,000,  including incident response costs and forensic services. Equifax lost over 30% of its market value immediately following its 2017 breach. The risk extends into an organization’s supply chain: Applied Material, for example, lost $250 million due to a ransomware attack on one of its suppliers.

In financial reporting, these are known as “material events” that could impact a company’s financial condition, operations, or overall business performance. The U.S. Securities and Exchange Commission  (SEC) governs reporting requirements for public companies. Financial and normal business operations disclosures are published in quarterly (10-Q) and annual (10-K) reports. When significant events or material changes occur that could affect an organization’s operations or financial conditions, the SEC requires additional reporting through Current Reports (Form 8-K). Traditionally, this includes events such as acquisitions or dispositions of assets, changes in management or control, financial restatements, or legal proceedings.

As of September 5, 2023, significant events include cybersecurity incidents.

In July, the SEC published its final rule for “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.” The rule requires public companies to file a Form 8-K within four days of a material cybersecurity incident. The  report must include the “nature, scope, and timing and impact or reasonably likely impact” of the incident. Additionally, the rules amend Forms 10-Q and 10-K to require organizations to provide information on the organization’s policies and procedures for identifying and managing cybersecurity risks, the role of management and the Board of Directors in overseeing these controls, and information about cybersecurity expertise at the board level.

The New Rules Follow a Recent Pattern 

It is clear the federal government is taking cybersecurity and information sharing more seriously. The SEC rule changes follow other federal orders including:

• In May, 2021 the Biden Administration issued Executive Order (EO) 14028 – “Improving the Nation’s Cybersecurity.” The EO includes extensive requirements designed to improve information sharing on threats and attacks.

• The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The Act requires organizations to report to the Cybersecurity and Infrastructure Security Agency (CISA) “substantial” cyber security incidents within 72 hours after the entity “reasonably believes” the incident occurred and ransomware payments within 24 hours of payment.

• The March, 2023 issuance of National Cybersecurity Strategy. The strategy includes goals of defending the nation’s critical infrastructure, disrupting and dismantling threat actors, and shaping market forces to drive security and resilience.

• More aggressive enforcement actions, including targeting individuals in addition to corporate entities. Recently, Wells Notices were sent to several current and former SolarWinds executives regarding their 2020 breach, notifying them that the SEC’s staff intends to recommend enforcement action against them as individuals for their actions (or lack of actions) following a breach.

What This Means to Small and Midsize Organizations

While the SEC rules apply to public companies, we expect a “trickle down” requirement will force midsize organizations to comply as well for two primary reasons:

• Cyber Supply Chain Concerns: While private companies may be exempt from reporting incidents to the SEC, their partners and customers may not be. If you are working with a public company, they will want assurances that your security is sufficient to protect their data and require you to report breaches that may affect their data. Even if you are not working with public companies, organizations working with critical infrastructure industries like healthcare, utilities, defense, financial services, and government will be subject to CIRCIA reporting requirements.

• Investor Concerns: Most midsize organizations have outside investors, including venture capital and private equity firms. These firms, in turn, raise capital from large investors. Because of the real costs associated with a cybersecurity incident, including the valuation of a company to a potential acquirer, we expect these firms to be increasingly diligent in reviewing the cybersecurity profile of the companies in which they invest.

What Can Small and Midsize Organizations Do?

The new SEC cybersecurity rules significantly enhance disclosure requirements. Preparing for attacks and disclosures requires a layered approach. Here are a few things organizations can do to prepare for the reporting requirements for the SEC rules – and additional scrutiny from investors and larger partners.

• Understand where risk exists: Having visibility into risk is the first step in any cybersecurity program. A Cybersecurity Risk Assessments Tool is designed to identify strengths and weaknesses and prioritize areas for improvement. Another method is to employ Penetration Testing, which identifies network and security weaknesses through simulated cyberattacks, across networks, systems, and mobile and web apps.

• Think like a hacker: Hackers value simple attack vectors like unpatched software and components. It is far easier to exploit a known vulnerability than identify a zero-day weakness. A Vulnerability Scanner automates scanning, reports weaknesses, and recommends remediation actions.

• Prepare and practice incident response: The new reporting requirements make incident response capabilities critical, including notifications to federal and state regulators and public company or critical infrastructure partners. Be prepared with a Cyber Incident Response Plan that ensures clarity around your team’s roles, responsibilities, and actions to mitigate impact in the case of an incident.

• Prepare for Vendor Risk Assessments: Public companies (and those planning for IPOs) will increase cybersecurity controls in vendor risk assessments. This will likely include a partner’s ability to detect and respond to incidents. Building, staffing, and managing a Security Operations Center (SOC) to identify and block threats around the clock is beyond the resources of most midsize organizations. A Managed Detection and Response service provides these capabilities with 24/7 monitoring by skilled security personnel, including detection, containment, and response across endpoints, mobile devices, networks, email and other cloud applications.

• Consider human error: People make mistakes, and some can result in cybersecurity events. Phishing Simulations and Cybersecurity Awareness Training help improve an organization’s security profile and build a cybersecurity culture.

The new SEC disclosure rules are putting new demands on public companies and their vendors and partners that manage sensitive information. These new requirements will ultimately trickle down to smaller organizations, through supply chain mandates or investor concerns. Building a security program that will meet the stringent requirements of large organizations necessitates a layered approach that includes assessing risk, defending against inevitable attacks, and educating users.

Unsure where to begin? Schedule a demo with one of our cybersecurity advisors to take the first step toward comprehensive cybersecurity.