2024: The Year of Cybersecurity Transformation for U.S. Public Companies
Starting on December 18, 2023, publicly-owned companies operating in the United States must adhere to new regulations imposed by the SEC. These regulations mandate the prompt disclosure of what are referred to as "material" cyber incidents within a strict timeframe of 96 hours, which equates to just 4 days. This development has the potential to create a substantial upheaval in the business landscape.
Companies are required to report various details concerning the breach, including the nature of the incident, its scope, timing, and its material impact, encompassing both financial and operational aspects. This reporting is to be done through the 8-K filing, the same form used for unscheduled material events or corporate changes (you can find the link to SEC requirements in the comments section). Smaller companies, defined as those with a public float of less than $250 million or annual revenues less than $100 million, are granted a 180-day extension to comply with these regulations. The only other exception to the 4-day rule is if the U.S. attorney general determines that revealing the incident "would pose a substantial risk to national security or public safety," a scenario that is expected to be rare.
Anticipated changes resulting from these regulations include:
A significant reduction in the time it takes to investigate and report cyber breaches. The previous timeline, which often spanned months, has now been compressed to a mere 4 days. Consequently, companies will need to establish robust controls and procedures to swiftly determine the materiality of a cyber incident once it is detected. This is likely to spark a surge in technology solutions aimed at meeting this demand, as well as increased resource allocation towards incident response and investigation, rather than solely focusing on preventive measures.
The SEC's lack of a specific definition for a "material incident" in the context of cybersecurity events means that the well-established definition of materiality used in securities laws will apply. This definition states that information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would significantly alter the total mix of information available to investors. Consequently, companies will need to demonstrate their management's ability to assess and manage material risks arising from cyberattacks. This necessitates not only training managers but also establishing channels to keep them informed about cyber risks relevant to their business.
Interestingly, companies are not obligated to disclose the actions they have taken or are taking in response to the incident. However, it is likely that many companies will internally deliberate on their course of action, leading to discussions on the extent to which these actions should be disclosed without inadvertently aiding the attackers.
A noteworthy consideration is the potential for cyber attackers to exploit these regulations as a means of exerting additional pressure on companies, perhaps to pay ransoms. For instance, in November, the AlphaV ransomware gang reported MeridianLink to the SEC for not promptly disclosing a breach (see comments for the link). As such, it is in the best interest of companies to proactively disclose all breaches to prevent attackers from doing so themselves.
In summary, the year 2024 promises to be an even more intriguing year for the field of cybersecurity, with these new regulations introducing substantial changes and challenges for businesses in their handling of cyber incidents.
Link to SEC data breach reporting requirements anouncement: https://www.sec.gov/news/press-release/2023-139
Alphv ransomware gang claims it reported MeridianLink to SEC link: https://www.techtarget.com/searchsecurity/news/366559914/Alphv-ransomware-gang-claims-it-reported-MeridianLink-to-SEC