Impact of the New SEC Cybersecurity Regulations on Business Risk and Information Security Practices

Although this article is UC Centric one can learn some valuable lessons from this and also prepare for the inevitable proliferation of these types of regulations in other jurisdictions.

The US Securities and Exchange Commission (SEC) recently introduced new regulations concerning cybersecurity disclosures for public companies. These regulations are designed to provide investors with more comprehensive, timely, and comparable information about cybersecurity risks and incidents, ultimately impacting both business risk and information security practices. This stems from previous incidents where proper disclosure of risk was not done and led investors to believe that their investment was within their risk tolerance.

This regulation has an immediate impact on the overall Business Risk.

Through this regulation there will be Increased Accountability and Scrutiny as the regulations place a heightened emphasis on accountability for cybersecurity risk management. Public companies will face greater scrutiny from investors and regulatory bodies, who will now have access to more detailed and standardised information about their cybersecurity postures.

Then there is the mandatory four-business-day disclosure window for material cybersecurity incidents increases the potential for Reputational Damage and Financial Losses. Companies will have limited time to respond to and remediate incidents before disclosing them publicly, potentially impacting investor confidence and stock prices.

The detailed disclosure requirements, particularly regarding the material impact of cybersecurity incidents, could expose companies to increased Litigation Risks from investors alleging inadequate cybersecurity practices or failure to disclose material information in a timely manner.

The Information Security Practices are not exempt from the impact this regulation has.

The regulations necessitate a more Proactive and Comprehensive approach to Cybersecurity Risk management. Companies will need to establish robust processes for identifying, assessing, and mitigating cybersecurity threats to comply with the annual disclosure requirements regarding their cybersecurity risk management, strategy, and governance.

The four-business-day disclosure deadline for material cybersecurity incidents will force companies to streamline and Enhance their Incident Response Capabilities. They will need to invest in tools and resources that enable rapid detection, containment, and remediation of incidents to minimise their impact and meet the reporting deadline.

The regulations encourage early Collaboration with Law Enforcement and Government Agencies, such as the FBI and CISA, in the event of a cybersecurity incident. This collaboration can provide companies with valuable insights and assistance in responding to and recovering from incidents, potentially mitigating their impact.

Then there is the impact to the Board and Management Involvement: The SEC regulations emphasise the importance of board and management oversight of cybersecurity risks. The rules require disclosures regarding the board’s role in overseeing cybersecurity risks and management’s role in assessing and managing these risks. This focus will likely lead to greater involvement of boards and senior management in shaping cybersecurity strategy and resource allocation.

To surmise, the new SEC regulations on cybersecurity disclosures represent a significant development for public companies. By increasing transparency and accountability, these regulations aim to empower investors with crucial information about cybersecurity risks. However, these regulations also introduce new challenges for companies, requiring them to adopt more proactive cybersecurity risk management practices, enhance their incident response capabilities, and foster closer collaboration with relevant government agencies.