The U.S. Securities and Exchange Commission (SEC) is a federal agency responsible for regulating and overseeing the securities industry, including securities exchanges, securities brokers and dealers, investment advisors, mutual funds and other exchanges and clearing agencies. The primary mission of the SEC is to protect investors, maintain fair and efficient markets, and facilitate capital formation.
In the context of cybersecurity, the SEC continuously provides guidance to public companies and other entities within its jurisdiction on how to address and disclose cybersecurity risks and incidents. The SEC recognizes the importance of cybersecurity in protecting sensitive information, ensuring the integrity of financial systems, and maintaining investor confidence.
A brief history of SEC compliance
Over the last decade the SEC has issued guidance and codified requirements that place increasingly stringent requirements on reporting companies.
Here is a brief recap of key guidance:
2011 SEC Guidance:
In 2011, the SEC issued guidance that outlined how public companies should consider cybersecurity risks and incidents when fulfilling their disclosure obligations under federal securities laws. The guidance emphasized the importance of disclosing material information related to cybersecurity risks and incidents to investors.
2018 Interpretive Guidance:
The SEC issued interpretive guidance in 2018, which further clarified public companies' disclosure obligations related to cybersecurity. The guidance emphasized the need for companies to disclose information about the risks they face, the potential impact of those risks, and the measures they take to address cybersecurity threats.
2020 Regulation S-K Amendments:
In 2020, the SEC adopted amendments to Regulation S-K, which is the part of the federal securities regulations that govern disclosure requirements for public companies. The amendments require companies to disclose more information about their cybersecurity risk management in their registration statements and periodic reports.
Regulation S-ID (Identity Theft Red Flags Rule):
While not specific to cybersecurity, Regulation S-ID, or the Identity Theft Red Flags Rule, requires certain SEC-regulated entities, such as broker-dealers and investment advisers, to establish and implement identity theft prevention programs.
2021 Proposed Rule:
In 2021, the SEC proposed a new rule aimed at enhancing cybersecurity risk management by registered investment advisers and investment companies. The proposed rule outlines specific measures that investment advisers and funds should take to mitigate cybersecurity risks and protect customer information.
What’s new in 2024
In July 2023 the SEC announced new rules mandating registrants to disclose significant cybersecurity incidents. Additionally, the rules require that companies must now annually disclose crucial information pertaining to their cybersecurity risk management, strategy and governance initiatives.
The SEC extended these rules to foreign private issuers too, requiring them to make equivalent disclosures. Under the newly introduced regulations, on a per incident basis registrants are obliged to:
- Disclose any cybersecurity incident deemed material
- Include a detailed account of the incident's nature, scope, timing, and its material impact or reasonably likely material impact on the registrant
- Submit disclosure within four business days after the cybersecurity incident is deemed material
On annual basis companies must disclose risk management, strategy, and governance details that outline:
- Processes for assessing, identifying, and managing material risks arising from cybersecurity threats
- Disclosure of the material effects or reasonably likely material effects of risks from cybersecurity threats and past incidents
- A description of the board of directors' oversight of cybersecurity threat risks and management's role and expertise in evaluating and handling material risks from cybersecurity threats. These disclosures are required in a registrant's annual report on Form 10-K.
Cybersecurity incident reporting requirements came into effect on December 18, 2023; smaller reporting companies have until June 15, 2024, to comply. All companies must comply with annual disclosure requirements with annual reports for fiscal years ending on or after December 15, 2023.
Supporting SEC compliance requirements with risk management initiatives
Aligning to SEC (and other federal or state-level) cybersecurity requirements starts by gaining an understanding of your organization’s attack surface, and its vulnerabilities. Vulnerability management metrics provide data insights that are critical to broader attack surface strategy.
These metrics produce business-specific insights and greater visibility to the types of sensitive data it uses, stores, and shares.
Ultimately, these insights help you understand your organization’s levels of threat exposure, make informed management decisions, and quantify risk at the governance level. Having these up-to-date metrics on hand can help satisfy regulatory requirements, including SEC annual reporting.
Take a tour of the Cavelo platform today and see how risk-based vulnerability management can help you identify, target, and prioritize the greatest risks to your business — and keep your team in step with compliance requirements.
