Why Did the SEC Introduce This New Cybersecurity Rule?
The new SEC Final Rule requires public companies to disclose security posture annually and cyber incidents within four days after determining an incident was material.
The SEC's new cybersecurity rule aims to enhance transparency around how public companies prepare for and respond to cyber threats.
Companies must disclose material cybersecurity information to investors, similar to financial changes.
The rule was finalized on July 26, 2023, with compliance required by December 18, 2023.
Public companies must provide an annual overview of their cybersecurity risk management and disclose material cyber incidents within four business days.
Strac can assist companies in maintaining security visibility, enforcing access controls, prioritizing remediation efforts, and timely reporting of cyber incidents.
The SEC's Final Rule aims to enhance transparency around how public companies prepare for and respond to cybersecurity threats. As more organizations move their data to cloud environments, the potential attack surfaces and cyber risks expand, making it crucial for companies to establish and maintain robust, standardized policies and procedures to safeguard their data, as well as the systems, applications, and networks that host it.
The cybersecurity stance of a company, along with any significant breaches, can significantly influence shareholders’ investments. Just as public companies are required to disclose material financial changes or weaknesses under existing SEC regulations, they now also need to share material cybersecurity information.
In the SEC’s words:
“In our disclosure-based regime, investors have a right to financial statements prepared in accordance with Generally Accepted Accounting Principles (GAAP).” – Assessing Materiality, March 2022
This new rule broadens that right to include insights into a company's cybersecurity posture and significant cyber incidents.
Understanding the Effective Date of the SEC Cybersecurity Rule
The rule was finalized on July 26, 2023, with compliance required by December 18, 2023, for most public companies. Smaller reporting companies have until June 15, 2024, to comply, allowing additional time for them to prepare for the new requirements.
Impact of the New SEC Cybersecurity Disclosure Rule on Public Companies and Strac's Assistance
Learn the requirements of New SEC Cybersecurity rule and how can Strac help below
Requirement 1: Overview of Annual Cybersecurity Disclosure
Each year, public companies are required to disclose key details about their cybersecurity risk management, strategies, and governance.
Maintaining Security Visibility and Control: Companies need a continuous overview of their cybersecurity posture, which includes discovering and classifying data across hybrid infrastructures. Check Strac List of SaaS, Cloud, Gen AI and Endpoint Integrations: https://strac.io/integrations
SEC Cybersecurity rule requirement 1: Strac DSPM that discovers and classifies sensitive data across SaaS, Cloud, Gen AI and Endpoints
Enforcing Access Controls: Identifying and limiting over-provisioned users and roles by adhering to the principle of least privilege is essential. Strac can support this with tools that help enforce these controls effectively.
Prioritizing Remediation Efforts: Transparent risk analysis allows companies to address the most critical issues first, helping to maintain compliance with ongoing regulatory standards.
Transparent Reporting: It’s important for companies to communicate their security posture improvements and updates clearly, ensuring that executives and board members are informed about potential breach costs and the overall data security status.
SEC Cybersecurity rule requirement 1: Strac DSPM data discovery and classification reporting
Requirement 2: Importance of Timely Disclosure of Material Cyber Incidents
In cases of significant cyber incidents, public companies are mandated to report these events on SEC Form 8-K within four business days. This disclosure should cover the incident's nature, scope, timing, and impact.
Evaluating the Financial Impact: Understanding the potential financial ramifications of breaches helps in conveying their importance to executives and board members. By using real-world data or customizing calculations to their environment, companies can make informed assessments.
Efficient Monitoring and Rapid Response: By closely monitoring data, companies can quickly respond to breaches and minimize damage. Strac’s advanced visualization tools can help by identifying breach conditions early, enabling faster response times and reducing potential impacts.
Discover & Protect Data on SaaS, Cloud, Generative AI
Strac provides end-to-end data loss prevention for all SaaS and Cloud apps. Integrate in under 10 minutes and experience the benefits of live DLP scanning, live redaction, and a fortified SaaS environment.
The Only Data Discovery (DSPM) and Data Loss Prevention (DLP) for SaaS, Cloud, Gen AI and Endpoints.
.png){kind=icon}
.gif)
.webp)
