SEC’s New Cybersecurity Regulation
The Securities and Exchange Commission (SEC) has adopted new rules that require companies to disclose material cybersecurity incidents and information about their cybersecurity risk management, strategy, and governance. This aims to provide investors with consistent and comparable information to make informed decisions. The rules apply to both domestic and foreign private issuers. The new regulations will become effective 30 days after publication in the Federal Register, with disclosure deadlines starting for fiscal years ending on or after December 15, 2023.
The Significance of SEC’s New Rules
The new rules are crucial in enhancing transparency and accountability in the financial markets regarding cybersecurity incidents. By requiring companies to disclose such incidents and their risk management approaches, investors can better understand the potential impact of cybersecurity threats on a company’s operations and financial performance.
Who the SEC’s New Rules Affect
The rules are targeted towards publicly-traded companies registered with the SEC, including both domestic and foreign private issuers. These companies are required to make the specified cybersecurity disclosures in their annual reports and on Form 8-K (for material incidents) or Form 6-K (for foreign private issuers) as per the provided timelines.
List of SEC’s New Rules
Rule 1: Disclosure of Material Cybersecurity Incidents
- Registrants must disclose any material cybersecurity incidents they experience.
- The disclosure should include the material aspects of the incident’s nature, scope, timing, and its material impact or reasonably likely material impact on the registrant.
- The disclosure must be made on the new Item 1.05 of Form 8-K.
- Generally, the Form 8-K disclosure is due four business days after the registrant determines the cybersecurity incident is material.
- Disclosure may be delayed if immediate disclosure would pose a substantial risk to national security or public safety.
Rule 2: Disclosure of Cybersecurity Risk Management, Strategy, and Governance
- Registrants must disclose material information about their processes for assessing, identifying, and managing material risks from cybersecurity threats.
- They must also disclose the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
- The disclosure must describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing these risks.
- This disclosure is added as Regulation S-K Item 106 and is required in a registrant’s annual report on Form 10-K.
Rule 3: Comparable Disclosures for Foreign Private Issuers
- Foreign private issuers are also required to make comparable disclosures for material cybersecurity incidents on Form 6-K.
- They must also provide disclosures regarding cybersecurity risk management, strategy, and governance on Form 20-F.
Rule 4: Effective Date and Deadlines:
- The final rules will become effective 30 days following publication in the Federal Register.
- Form 10-K and Form 20-F disclosures will be due for fiscal years ending on or after December 15, 2023.
- Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023.
- Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.
- Registrants must tag the disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.
Cybersecurity Incident Vs. Breach
Cybersecurity (or security) incidents and data breaches are sometimes used interchangeably. While any sort of data breach is considered a significant security incident, not every security incident involves a data breach. A security incident is any event that potentially harms a computer system or network. It could be an attempted cyber-attack, a virus infection, or unauthorized access to data. A data breach, on the other hand, is a specific type of security incident where sensitive or confidential information is accessed, disclosed, or stolen without authorization. The SEC’s new rules require disclosure of any material cybersecurity incidents, including but not limited to data breaches.
How Organizations Can Prepare with BigID
A modern data security strategy starts with complete data visibility and control. BigID leverages a data-centric and risk-aware approach to effectively improve data security posture, streamline remediation, ensure compliance, accelerate breach response, and ultimately reduce data risk – at scale. Here are the ways organizations can prepare for and meet compliance with SEC’s new cybersecurity rules and requirements:
Comprehensive Data Risk Assessments
- BigID’s Data Risk Assessment reports stand out from typical assessments. With comprehensive coverage across all data types and locations (structured and unstructured, cloud, hybrid, and on-premises), our assessments incorporate all your information, wherever it resides. Our broad range of data security use cases aggregates diverse risk indicators, strengthening your assessment. Plus, unlike other methods that take weeks or months, BigID’s Data Risk Assessments are completed within hours, saving you time and providing actionable insights.
Identify-Aware Breach Response
- BigID’s identity-aware breach analysis effectively assesses the scope and magnitude of a data breach. Seamlessly map and inventory all personally identifiable information (PII) and personal information (PI) back to the corresponding identities (entities) and residences. Pinpoint the users and personal data that have been compromised. Generate automated reports for regulators and auditors, ensuring compliance requirements are met. Moreover, identify users’ residency information, enabling you to tailor your response to meet specific jurisdictional requirements and expedite your overall response process.
Data Governance, Inventorying, & Exploration
- Data governance is a core tenet of a sound data security strategy. Proper data governance serves as a baseline to better secure where your sensitive data lives, how long it’s there for, and who can access it. BigID brings data security and governance together to streamline and automate the way you manage and protect your data. Leverage trainable AI and ML techniques to enhance your ability to discover, explore, and inventory sensitive data. Precisely target remediation efforts and reduce exposure, transforming the way you perceive and safeguard your data.
Jumpstarting Data Security Posture Management (DSPM)
- As hybrid data environments continue to scale and evolve, delivering on DSPM is critical to understanding and mitigating data risks. BigID’s industry-leading DSPM platform allows you to centralize detection, investigation, and remediation of critical data risks and vulnerabilities across hybrid environments. Assign severity and priority based on the context of the data, including its sensitivity, location, accessibility, and more. Continuously monitor for suspicious activity, pinpoint potential insider threats, and dive deep into the details for thorough analysis.
Enforcing Data Security & Compliance Policies
- Use pre-built sensitivity classification and security policies that align with compliance and frameworks such as NIST, CISA, PCI, and now the SEC, enabling effective management and protection of the right data. Create and enforce data management and security policies, including retention, minimization, and access management policies. As policies are triggered, kickoff streamlined workflows across the right people and tools. Validate the need to retain or discard data, and automatically carry out remediation actions using the proper tool of choice. Govern your data like security depends on it.
BigID helps organizations of all sizes manage, protect, and get more value out of their data anywhere it exists — on-prem or in the cloud. Schedule a 1:1 with one of our security experts today to learn more about how we can help you meet SEC compliance!