By Need

By Industry

By Function

Cybersecurity & Risk Management

New SEC Rules for Reporting Cybersecurity Incidents Are Coming

By Jay Pasteris, Blue Mantis CIO and CISO

The SEC is proposing new cybersecurity rules for public companies. Blue Mantis’ Chief Information Officer & Chief Information Security Officer, Jay Pasteris, looks at the pros and cons of these rules and offers advice on how your company can prepare.

In February 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules to enhance and standardize cybersecurity disclosure by public companies. Cybersecurity is one of the most pressing issues facing publicly traded companies today. Recent research from Morningstar showed a company’s stock price declines by almost 5% on average within 60 days of a cybersecurity incident—and often stays down for up to a year after—costing American investors and shareholders billions of dollars. So, the SEC’s proposed rules were in response to the increasingly frequent, sophisticated, and costly cybersecurity attacks that unnerve investors during an already unstable economic environment. 

The SEC’s goal was to mandate how public companies assess, mitigate, and oversee their cybersecurity risks internally then disclose “material cybersecurity incidents” externally in a consistent and comprehensive way. After a short public comment period that ended in April 2022, most executives at public companies and the registered investment firms servicing them were preparing for these new SEC rules to go into effect during Spring 2023. Some executives at private firms were also preparing for how their operations might be affected in case the SEC’s new rules trickled down to them, too. 

However, the SEC issued separate press releases on March 15, 2023 about not only reopening the public comment period for the cybersecurity rules proposed in 2022 but also proposing some new rules “to address cybersecurity risks to the U.S. securities markets.” While never mentioned by name, it’s very likely the new rules for securities are the result of the added scrutiny of the banking system due to the Silicon Valley Bank failure just days before.

The SEC won’t take public comments until after re-publishing the proposal to the Federal Register. However, this reopening of comments gives CISOs, CIOs, and other cybersecurity-focused business executives at publicly traded companies a chance to reexamine the SEC’s regulatory proposals.

The Pros and Cons of the New SEC Cybersecurity Risk Management Rules 

Looking at the SEC’s cybersecurity risk management rules originally published in February 2022, public companies must disclose: zero trust is a business strategy, not just a technology play.

The proposed rules would also require public companies to report material cyber incidents within four business days after becoming aware of them. This would reduce the current reporting lag that can leave investors in the dark about significant cyber events affecting a company’s operations or financial condition. 

Here is a list of the pros and cons for public companies required to enact the proposed SEC cybersecurity rules:

PROS

CONS

  • Businesses would be able to communicate more effectively with investors about their cybersecurity efforts and achievements 
  • Businesses would be encouraged to adopt best practices for cybersecurity risk management that could enhance their resilience against cyber threats 
  • Businesses would be able to leverage the SEC’s guidance and feedback to improve their cybersecurity disclosure processes and quality 
  • Businesses would be able to reduce the legal and reputational risks associated with inadequate or misleading cybersecurity disclosure 
  • Businesses would have to incur additional costs and resources to comply with the new disclosure requirements, such as hiring experts, conducting audits, updating systems, etc. 
  • Businesses would have to disclose sensitive information that could expose them to competitive disadvantages or increased cyberattacks 
  • Businesses would have to deal with more complexity and uncertainty in determining what constitutes material cybersecurity risks and incidents 
  • Businesses would have to face more scrutiny and liability from regulators, investors, customers, and other stakeholders if they fail to comply with the new disclosure rules or experience cyber incidents 

The SEC believes their proposed rules would benefit both investors and issuers. Investors would be able to make more informed investment decisions based on a better understanding of a company’s cybersecurity risk profile. Issuers would be able to communicate more effectively with investors about their cybersecurity efforts and achievements. Moreover, issuers would be encouraged to adopt best practices for cybersecurity risk management that could enhance their resilience against cyber threats.  

Divided Opinions on the Proposed SEC Cybersecurity Risk Management Rules 

In the United States, new government rules are not created unilaterally without the consent of the governed. The public comment period is crucial for CISOs, IT leaders, and cybersecurity professionals to provide the SEC with valuable new perspectives on how regulatory proposals adversely affect businesses. 

During the first round of public comments for the SEC’s proposed cybersecurity rules back in 2022, a consortium of industry associations, including the Healthcare Information and Management Systems Society (HIMSS), the Consumer Technology Association (CTA), the American Property Casualty Insurance Association (APCIA), Professional Services Council (PSC), and 30 other groups argued the rules are too broad, vague, and inconsistent with other standards, and that they would impose significant costs and burdens on regulated entities. The HIMSS suggest alternative approaches to enhance cybersecurity disclosure and governance without harming innovation and competitiveness such as:

The US Chamber of Commerce (CoC), the Nasdaq stock exchange, the American Bar Association (ABA), and other groups warned that the detailed public disclosure of a cybersecurity incident should accommodate a reasonable amount of time required by law enforcement for criminal investigations. Not only are there existing laws passed by all 50 states to authorize delayed disclosures to consumers of data breaches to avoid compromising an ongoing law enforcement investigation (and the Gramm-Leach-Bliley Act similarly authorizing delayed disclosure by financial institutions), but these groups also argued that detailed public reporting of cybersecurity incidents within just four days hands over valuable intelligence to cyber criminals for conducting future successful attacks. 

The SEC’s proposed rules on public disclosures of cybersecurity incidents, according to a letter signed by eighteen state attorneys general, will also be burdensome to the companies in terms of systems and skills. Even large publicly traded companies with dozens of lawyers, business analysts, and other compliance professionals on staff will likely require outside consultants to recalibrate or outright build new cybersecurity incident reporting regimes. The state AGs noted that the SEC’s reporting requirements “would compel public companies to gather, create, and disclose a crushing amount of information. Such disclosures far exceed any information investors reasonably need. And in reality, they would empower [the SEC] to regulate disfavored industries into oblivion.” 

How You Can Prepare for the New SEC Cybersecurity Risk Management Rules

Most CISOs and business executives will agree investors need access to reliable and relevant information about how public companies manage their cybersecurity risks and deal with cyber incidents. If you objectively looked at the pros and cons of the SEC’s proposed rules and have strong opinions either way, then I encourage you to engage in the debate once the public comment is opened in either late March or early April 2023.

Regardless of how the public comments pan out, the top three things a CISO can do to prepare for the new SEC cybersecurity risk management rules are: 

  1. Assess your cybersecurity risk management approach – A good risk assessment will analyze any gaps in your current security posture and using the NIST Cybersecurity Framework will likely cover the same ground as the proposed SEC rules. In conjunction with a risk assessment, your organization should conduct extensive penetration tests and tabletop exercises to see exactly how your company would handle these threats.  
  2. Work with general counsel and other senior executives – By assessing the potential impact of the SEC’s proposed rules with Legal, Finance, and other business groups, your organization will be better prepared to translate strategy and practices into an accurate, cohesive, and compelling narrative on the company’s cyber risk management practices.  
  3. Focus on security visibility and reporting – Building systems to identify cybersecurity threats and forensically analyze breaches after the fact is crucial for companies to adhere to the SEC’s new rules. Most importantly, you’ll need to present that information in a way that is understandable and actionable for your internal and external stakeholders. 

Cybersecurity is not only a technical issue but also a strategic one. Blue Mantis can help remove concerns public companies have about the new SEC cybersecurity risk management and reporting proposal. We offer support to build and manage sustainable cybersecurity programs for regulated companies created by one of our CxO as a Service experts and backed by our IT/security resources. Blue Mantis can also provide risk assessments, develop actionable IR playbooks, and run an advanced cybersecurity program customized for your business as a managed service.  

Contact Blue Mantis for a cybersecurity assessment today. 

Jay Pasteris headshot.

Jay Pasteris

Chief Operating Officer

As Chief Operating Officer at Blue Mantis, Jay Pasteris is responsible for all end-to-end operations of the organization, including ultimate ownership of all data, IT, and organizational risk.  Additionally, he oversees the HR function and is responsible for building, managing and maintaining a world-class talent pool in the U.S., Canada and India.  

Formerly CIO and CISO, Jay was promoted to COO in April 2024. In his new role, Jay continues to oversee the company’s IT and cybersecurity operations and he serves as an invaluable client-facing resource from an advisory and problem-solving perspective.  

Jay is a highly accomplished senior business technology executive with experience in aligning technology with business strategy and driving innovation across organizations. His deep experience as a vision-driven technology leader and his history of successfully delivering enterprise technology solutions has enabled him to build high-performing and results-driven technology teams that not only deliver business value, but transform organizations to excel in the digital era. 

Before joining Blue Mantis in 2021, Jay served as the CIO and CISO for the Massachusetts Medical Society / New England Journal of Medicine; senior vice president of global IT for Houghton Mifflin Harcourt; and CIO and CISO for Veracode—a Boston-based cyber security firm. Throughout his career, Jay has been responsible for leading and delivering scalable enterprise technology solutions; product engineering; global infrastructure; end-user experience; and security and compliance across cloud and software-as-a-service platforms.