There are approximately 5,996 publicly listed companies in the United States, including those on the New York Stock Exchange and the Nasdaq. Each of these companies is subject to the SEC's cybersecurity regulations.

Are you aware of how these latest SEC cybersecurity mandates might impact your business operations and data protection strategies? These regulations will change how data security and incident reporting work in the financial sector.

Defining the SEC’s Cybersecurity Scope and Significance

The U.S. Securities and Exchange Commission (SEC) Cyber Security refers to a set of regulations and guidelines established by the SEC to enhance the cyber security posture and resilience of organisations under its jurisdiction.

Primarily, this initiative aims to protect the integrity of financial markets and safeguard investor data from cyber threats. The SEC, the primary regulatory body overseeing the securities industry in the United States, recognises the growing importance of cyber security in an increasingly digital financial landscape.

Under the SEC's purview, cyber security encompasses a broad range of practices and policies to protect networks, computers, programs, and data from unauthorised access, attacks, or damage. In the financial industry context, this includes safeguarding sensitive financial information, ensuring the confidentiality and integrity of investor data, and maintaining the availability of critical financial services.

The SEC's focus on cyber security arises from an understanding that the financial sector's stability and trustworthiness are pivotal to the economy's overall health. Cyber attacks on financial institutions can lead to significant financial losses, erode investor confidence, and potentially destabilise the financial markets.

The SEC's approach to cyber security involves direct regulation, such as setting forth rules around Cybersecurity Risk Management, Strategy, Governance, Incident Disclosure, and guidelines for financial institutions like Regulation S-P.

The SEC collaborates with other regulatory bodies and stakeholders to develop a comprehensive and coherent cybersecurity strategy. This collaborative approach is important in addressing the cross-sectoral nature of cyber threats, which often transcend organisational and geographical boundaries.

New Regulation Changes for 2024

The new cybersecurity rules adopted by the U.S. Securities and Exchange Commission (SEC) are set to take effect at different times depending on the specific requirement. The final rules will become effective 30 days after publication in the Federal Register. For disclosures related to cybersecurity risk management, strategy, and governance in annual reports, the rules apply to fiscal years ending on or after December 15, 2023. Organisations must include this information in their Form 10-K and Form 20-F filings for the fiscal year-end dates and beyond.

Regarding the disclosure of material cybersecurity incidents, the rules stipulate that these should begin 90 days after publication in the Federal Register or December 18, 2023. This applies to domestic issuers, who will report through Form 8-K filings, and foreign private issuers, who will use Form 6-K filings.

Smaller reporting companies have an additional 180-day grace period before they must start providing the Form 8-K disclosure. Moreover, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.

Who will be affected?

The SEC’s new cybersecurity rules predominantly target publicly listed companies, requiring them to comply with various incident reporting and governance disclosure requirements. However, the impact of these rules extends beyond just publicly listed entities.

Numerous publicly traded firms depend on smaller entities in software and supply chain sectors. A cybersecurity breach within these interconnected networks can significantly affect operations. Hence, these smaller entities, whether they are publicly listed or privately held, need to be aware of and comply with the new SEC regulations.

The SEC has demonstrated a willingness to enforce regulations beyond public companies and registrants, targeting specific investment advisers. This is evident from cases involving private entities like law firms and private companies where the SEC has intervened following cyber incidents. Hence, the scope of who will be affected by these rules is broad, encompassing a wide range of organisations that, directly or indirectly, contribute to or are part of the financial ecosystem regulated by the SEC.

What is changing?

The SEC's adoption of new cybersecurity rules marks a significant shift in the regulatory landscape for cybersecurity disclosures and risk management. The primary change is the introduction of mandatory cyber-incident reporting requirements for all U.S.-listed companies. This involves the disclosure of material cybersecurity incidents, requiring companies to assess and declare these incidents' impact on their financial condition and operations. Such disclosures must be filed within four business days after the company determines the incident's materiality.

Another major change is in risk management and governance related to cybersecurity. The new rules require U.S.-listed companies to disclose information about their board's proficiency and oversight of cybersecurity risks in their annual Form 10-K and Form 20-F filings. This includes detailing the processes for assessing, identifying, and managing material risks from cybersecurity threats. The rules reflect a shift towards a more proactive and transparent approach in dealing with cyber risks at the corporate governance level.

What are the key requirements of being compliant with the new rules?

Organisations need to focus on several key requirements to comply with the SEC’s new cybersecurity rules. First, they must establish a protocol for promptly identifying and assessing the materiality of cybersecurity incidents. Once an incident is material, it must be disclosed in Form 8-K filings (for domestic issuers) or Form 6-K filings (for foreign private issuers) within four business days. This requires a robust and responsive incident detection and evaluation system.

Secondly, organisations must provide detailed disclosures on their cybersecurity risk management, strategy, and governance in their annual reports (Form 10-K and Form 20-F). This includes describing the processes for assessing and managing material risks from cybersecurity threats and the board of directors’ oversight of these risks.

Finally, firms should extend their cyber policies, procedures, and practices to all third-party vendors. Given the interconnected nature of modern businesses, ensuring that third-party partners adhere to the same high cybersecurity standards is essential.

How can organisations ensure they are compliant with the new rules?

Ensuring compliance with the SEC’s new cybersecurity rules requires a comprehensive approach. First and foremost, companies should incorporate cybersecurity into their corporate governance framework. This involves having a board of directors that is informed and proficient in cybersecurity matters and ensuring that there is a clear structure involving senior stakeholders in cyber-risk management.

Regular training and testing are essential components of a cybersecurity framework. Employees at all levels should be aware of the potential cyber risks and the procedures to follow in the event of an incident. Additionally, companies must invest in cyber resilience and preparedness for cyber-threat response. This includes having an efficient response plan that can effectively stop or quickly remediate real threats when attacked.

Data loss prevention (DLP) is another critical aspect to compliance with the SEC's new cybersecurity regulations. These regulations emphasise the importance of protecting sensitive information from breaches and unauthorised access. An automated DLP tool can significantly enhance an organisation's compliance with these rules by continuously monitoring and protecting sensitive data across various SaaS platforms.

Such tools can prevent inadvertent leaks or malicious breaches by automatically identifying and securing sensitive information. This level of protection is vital for maintaining compliance and safeguarding the organisation's reputation and the integrity of the financial markets.

How Metomic Can Aid Compliance with SEC Changes

Our data security platform aligns well with the requirements set forth by the SEC's new cybersecurity rules, making it an effective tool for ensuring compliance.

Automated Detection and Security

Metomic's capability to detect and secure sensitive data in SaaS applications is crucial for compliance. This feature helps in:

- Identifying and protecting personally identifiable Information (PII) and confidential data is vital under the new SEC regulations that require disclosure of material cybersecurity incidents

- Providing high detection accuracy and custom classifiers is essential for organisations to effectively manage the types of data they deem sensitive and report any material incidents as required by the SEC.

Risk Management and Automated Remediation

Metomic's risk management tools and automated remediation capabilities are particularly beneficial for maintaining SEC compliance.

- With Metomic, organisations can triage risks using an AI-powered Risk Score, which aligns with the SEC's emphasis on proactive risk assessment and management.

- The ability to automate security policies across SaaS apps, including redacting sensitive data and controlling access levels, aligns with the SEC’s mandate for robust data protection measures. This automation helps ensure that the organisations’ data protection measures are efficient and effective, reducing the likelihood of non-compliance.

Discover how Metomic can streamline your compliance with SEC's new cybersecurity regulations – book a personalised demo today to keep your organisation compliant.