I’ve written a blog series like this for many companies I’ve worked for, now I’m doing it on my own blog for everyone to read. Please drop me questions you’d like answered to me via Twitter/X/whatever it’s called this week @miketalonnyc – I’d love to get you answers explained without the jargon!
Because of recent regulations going into effect in the last couple of weeks, many contacts have asked me “What is the new SEC regulation, and what is the SEC doing in cybersecurity anyway?” The answers might surprise you, as this is a major step forward in regulatory control around cybersecurity, so let’s dive in.
First things first, the obligatory disclaimer. I am not a lawyer or regulatory expert – you should definitely be speaking to one or both of those to figure out how, exactly, your organization needs to get into compliance. I’m just a cybersecurity nerd who read up on things.
Many regulatory bodies have moved into the realm of cybersecurity over the last several years. In the European Union we saw the General Data Protection Regulations (GDPR), and in the United States we saw the implementation of regulations like the Healthcare Insurance Portability and Accountability Act (HIPAA). Several regional governments across multiple countries have also put forward and even enacted their own regulations. All of these center around privacy – the ability of a user of a service to control how their data is stored, protected, and shared. The new SEC regulations (which went into effect late in 2023 and into 2024) focus more on disclosure of cybersecurity incidents and are not focused on privacy concerns, which makes them significantly different to the regulations we’ve seen before this point. Similar measures are being drafted, voted on, and even ratified across the world, so this is likely to not be the last measure we will see put into effect in the near future.
But, what do these regulations do, and how do they impact organizations? Well, first let’s define two key terms: SEC Registrant and Material Impact. An SEC Registrant is any company which is required to file disclosures, reports, and other filings with the US Securities and Exchange Commission. This includes US publicly traded companies, and also any companies which are preparing to become publicly traded, though there are exceptions in rare cases – such as some foreign organizations having to file reports even though they are not officially traded in the United States.
Material impact is somewhat more ambiguous, but Harvard Business School defines materiality as:
“… an accounting principle which states that all items that are reasonably likely to impact investors’ decision-making must be recorded or reported in detail in a business’s financial statements using GAAP standards.”
– https://online.hbs.edu/blog/post/what-is-materiality
This means that any event which may cause an investor or potential investor to make a specific decision (such as investing or not investing) is considered “material” in nature. The new SEC regulations make it mandatory to disclose any cybersecurity incident with has material impact, meaning any cybersecurity incident which – if it becomes known – would cause an investor or potential investor to alter their decisions regarding the organization itself.
At their heart, the new regulations create two new reporting requirements for any SEC Registrant. First, all Registrants must file annual reports with the SEC already. These reports are not the “Annual Report” documents that are sent to shareholders and prospects, but rather an official federal filing (Form 10-K) done to keep the SEC and the US Government apprised of what the organization is doing, its overall health, etc. From 2024 onwards, this filing must include details about the cybersecurity resilience of the organization including, but not limited to, which member of the board is responsible for cybersecurity, what issues and incidents have occurred, what measures are being taken to avoid incidents, etc. Most notably, the 10-K filings will have to specifically note who on the board is responsible for cybersecurity resilience, making cybersecurity become a board-level discussion. As most boards are comprised of brilliant business people who don’t generally have deep technical backgrounds (though there are exceptions, of course), this is a massive shift in board responsibility that we haven’t seen in the past.
Second, the regulations require that, after any cybersecurity incident that has material impact, the company must file a disclosure with the SEC. This is done as an amendment to the existing form used to disclose anything that has a material impact – Form 8-K. Such filings are routinely done any time the organization makes a change or institutes a new operational policy that might impact investor opinion and decisions, but this is the first time that the 8-K will have to be filed in the event of a cybersecurity incident. The new regulations also put a specific time restraint on what the filing must occur. Registrants must file their amended 8-K within four business days of the incident being discovered unless law enforcement and/or the US Government explicitly blocks the filing for matters of national security or the integrity of a federal investigation.
Any SEC filing must be signed by stakeholders (usually high-ranking board members) who attest that the information is complete and correct to the best of their knowledge (and being purposefully ignorant of a situation is not accepted as an excuse for not having the knowledge in question if the signatory would have had access to said knowledge). Essentially, purposefully not filing properly and/or knowingly filing a report with false information is a literal federal offense. This would mean that signatories are liable if they fail to disclose an incident, or if they report incorrect information on the state of their cybersecurity resilience. Penalties can include fines, being barred from an industry or from holding a position at a public company, or even federal charges being filed that could result in jail time in extreme incidents. In other words, there is iron in the glove when it comes to enforcement of these regulations – which business leadership have been very well aware of in other areas of SEC reporting for decades now.
The impact of these two regulations going into effect has been sweeping and even surprising overall. First and foremost, the specifics of several incidents became public knowledge due to the filing requirements – such as the gaming/casino attacks that occurred late in 2023. While organizations might otherwise downplay the impact of these incidents, or even attempt to completely hide the incident entirely, now the details are becoming public knowledge and impacting things like share prices and customer trust. Other incidents may come to light with the new annual report regulations, showing which companies are properly defending their organizations and which are not. Most surprisingly, advanced persistent threat (APT) groups – organized criminal groups who create and run coordinated attacks against high-value targets – have actually embraced the new regulations. In one now-famous incident, ALPV/BlackCat filed a complaint with the SEC; detailing MeridanLink’s failure to comply with the reporting requirements when that organization did not file an amended Form 8-K in a timely fashion ( https://www.scmagazine.com/news/hacker-group-files-sec-complaint-against-its-own-victim ). It should be noted that this reporting was for an incident that occurred before the go-live date of the regulations, and as such did not actually trigger an SEC investigation; but it shows that threat actors will indeed weaponize this system to force organizations to pay their ransom fees in order to minimize or control what information becomes public about an incident they suffer.
The new SEC regulations have been challenged, however. The Congress of the United States of America has claimed that the SEC over-reached with the regulations, as such measures are in the purview of Congress and not the SEC. We’ll have to keep an eye on the ongoing debate to see if the regulations are allowed to stand, or if Congress strikes them and renders them invalid. Even if the SEC regulations do get struck down, it would be likely that Congress would pass their own, similar measures to replace them, so this story is going to be sticking around for a while either way.
The SEC has taken a decisive step toward mandatory reporting for cybersecurity incidents that may impact investor decisions. It is likely we will see more governments move in the same direction due to the financial impact of the massive number of cybersecurity incidents seen in the last few years; and the sheer impact that those incidents have had on national and global economic factors. Organizations should definitely prepare for how they will meet these new regulatory requirements to remain in compliance.