New SEC Cybersecurity Rules: What They Mean
Long before the CrowdStrike outage paralyzed thousands of companies and much of the Fortune 500 earlier this summer, the SEC (Securities Exchange Commission), had its eye on hardening cybersecurity regulations across publicly-traded companies. In July 2023, the SEC announced new regulations that required all registrants to annually disclose information about their cyber risk management, strategy, and governance beginning with fiscal years ending on or after December 15, 2023. SEC Chair Gary Gensler declared that “Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident,” the information about the incident’s nature, scope, and timing must be revealed.
In the nine months following this vague declaration, the SEC’s regulations were met with mixed reviews. Many public companies, including major players such as Microsoft, Hewlett Packard, and UnitedHealth Group, began disclosing cybersecurity incidents. However, these disclosures often seemed to skirt the SEC's requirements by omitting quantitative details, such as financial losses or operational disruptions, on the attacks. Thus, the SEC was concerned that companies were not fully adhering to their rules, possibly due to the challenges of quickly assessing impacts or a lack of understanding of the new requirements. In May 2024, SEC director Erik Gerding clarified that all public companies must disclose any and all cybersecurity incidents “determined by the registrant to be material.” Of course, only public companies registered with the SEC are currently subject to these rules today, but even private companies are expected to start feeling the ramifications.
So, what does the clarification of this regulation really mean? For starters, a material incident refers to a breach that investors deem relevant when considering an investment. To qualify as material, the incident must cause some internal or external disruption to the business. A material cyber threat may affect both quantitative and qualitative performance of the affected company, potentially hurting financial performance, causing service disruptions, damaging the company’s customer trust, and more.
Non-compliance with the SEC's new cybersecurity disclosure rules can result in significant penalties for public companies. These penalties may include fines, legal actions, and increased regulatory scrutiny, as the SEC requires that all material cybersecurity incidents be disclosed within four business days of determining their materiality on a Form 8-K. Companies must disclose their cybersecurity risk management, strategy, and governance annually under Regulation S-K. Failure to amend prior disclosures when new material information arises can also lead to violations under the Exchange Act, which could be cause for further financial penalties and reputational damage. Although there is a provision for delayed disclosure if the U.S. Attorney General deems it necessary for national security or public safety, such exceptions are rare and strictly regulated.
While they do not fall under the SEC’s current purview, private companies should pay close attention to the SEC's new cybersecurity disclosure rules. These regulations, while not directly applicable to companies that haven’t yet gone public, set a standard that could significantly impact their operations and future opportunities. The SEC, as a regulatory body, mandates public disclosures specifically for public companies to ensure transparency and protect investors. So, for companies considering an IPO, a merger, or an acquisition involving a public company, aligning with the SEC’s disclosure guidelines may become necessary to close a transaction or unlock important funding. A more robust cybersecurity posture will also make a private company more attractive to potential investors and partners by showcasing strong risk management practices. And from the work we are doing with various Private Equity firms, we can tell you with certainty that no one wants to acquire a company that is at risk of being breached due to weak cybersecurity controls. Representations and Warranty Insurance (RWI) providers, who are increasingly getting involved in middle market M&A transactions, also often require attestations around proper cybersecurity controls and disclosure of breaches. And adopting best practices for cyber and IT can also help mitigate the risk of litigation following a cybersecurity breach. By proactively adhering to high standards, private companies can better protect themselves against claims of negligence, potentially avoiding costly legal battles. And that’s where Worklyn, and our team of cyber experts at, Quadrant Information Security often jump in to help businesses seeking to fortify their cybersecurity defenses and ensure compliance with evolving regulations