The Security and Exchange Commission (SEC) has proposed new regulations that would require public companies and covered entities, along with their boards of directors, to implement cybersecurity disclosure requirements. The goal of these regulations is to keep investors informed about how cybersecurity risks are being managed and to ensure prompt notification of significant cybersecurity incidents.
The SEC first introduced these proposed regulations in March 2022, and after reopening the comment period a year later, the comment periods for both sets of regulations closed in May 2023. If adopted, the new rules would establish reporting requirements for material cybersecurity incidents and updates, as well as the policies and procedures used to identify and manage cybersecurity risks. The regulations would also address the oversight of cybersecurity risk by the board of directors and management’s role in assessing and managing cybersecurity risks.
One notable regulation that deserves attention is the requirement for prompt reporting of breaches. This regulation is likely a response to incidents involving companies like T-Mobile and BlackBerry. In 2021, both companies faced public scrutiny for failing to promptly inform customers and the public about server and software vulnerabilities that affected millions of people. T-Mobile’s breach, in particular, exposed the data of over 100 million customers. At the time, there were no existing federal regulations dictating the timeframe for reporting a data breach.
In response to these incidents, Congress began examining requirements for reporting attacks and possible fines for non-compliance. While Congress did not reach a consensus at the time, the SEC is now moving forward with similar disclosure rules that would benefit stakeholders, customers, and investors. Under these rules, covered entities would be required to disclose past and present cyber incidents to the SEC within 48 hours of discovery. They would also need to notify the SEC in writing of significant cybersecurity incidents as soon as they have reasonable grounds to believe one has occurred.
Another notable regulation addresses the role of the board of directors in cybersecurity risk management. The SEC is proposing that public companies disclose if board members have cybersecurity expertise and describe how the board oversees and handles cyber risks. This regulation would require board members to take responsibility for overseeing the organization’s response and recovery plans in the event of a cyberattack. Boards will need to increase their focus on cybersecurity and ensure that executives and managers have made proper preparations for responding to and recovering from cyber-attacks.
While these proposed regulations aim to improve transparency and accountability, there are potential limitations and challenges. Companies may face additional costs to comply with the new rules, such as gathering and analyzing the required data. They also face reputational risks if they fail to adequately address cybersecurity risks. However, the SEC’s intent is to protect the public by promoting transparency, and organizations should take steps to be ready for these changes, regardless of whether they become formal requirements.
Overall, the SEC’s proposed regulations are a significant step towards improving cybersecurity risk management and disclosure for public companies and covered entities. By requiring prompt reporting of breaches and increasing the role of the board of directors in cybersecurity, these regulations aim to enhance transparency and accountability in organizations’ cybersecurity practices.