As part of its mandate to protect investors and foster environmentally conscious markets, the US Securities and Exchange Commission (SEC) has unveiled a revised set of comprehensive guidelines. On July 26, 2023, a significant modification came into effect, reshaping the landscape of publicly traded corporations operating within the United States. Should provide transparent disclosure of cybersecurity threats, risk management strategies, and incident response protocols.
The newly issued guidelines necessitate explicit disclosure of fabric cybersecurity breaches on Form 8-K and regular reporting of a registrant’s cybersecurity risk management, strategy, and governance framework within annual filings. The primary objective of these guidelines is to provide purchasers with timely, consistent, relevant, and actionable information necessary for informed investment and voting decisions.
The new guidelines took effect on September 5, 2023. Reporting necessities began on December 18, 2023. Smaller reporting corporations were granted an additional 180 days to comply with the new regulations.
On December 14, 2023, Erik Gerding, Director of the SEC’s Division of Corporation Finance, delivered a speech on the agency’s recent guidelines, where he noted that “threat actors repeatedly and efficiently executed attacks on high-profile companies across multiple critical industries during the course of 2022 and the first quarter of 2023, prompting the Department of Homeland Security’s Cybersecurity Review Board to initiate several reviews.”
The Securities and Exchange Commission (SEC) has observed a significant increase in the cost of cybersecurity breaches to companies and their investors.
Sophos’ fifth annual study on the real-world ransomware experiences of organisations across 15 industry sectors globally, titled “Sophos 2024 State of Ransomware Report”.”.
According to a recent report, an alarming 59% of businesses experienced ransomware attacks over the past year alone. Ransomware attacks wreak havoc on businesses of all scales, resulting in staggering costs in the hundreds of millions to recover from and contain these breaches. According to new figures, the average cost of recovering from a ransomware attack increased significantly in 2024, jumping to $2.73 million compared to the previous year’s total of $1.82 million in 2023? The pressing need for robust cybersecurity safeguards across all industries is underscored, simultaneously emphasizing the importance of enhanced transparency through effective disclosure practices.
To mitigate risks, the Securities and Exchange Commission (SEC) has issued revised guidelines aimed at enhancing transparency by disclosing cybersecurity breaches affecting publicly traded companies, thereby providing investors with critical information on how these entities respond to and manage cyber threats. This initiative aims to increase transparency and strengthen overall risk management.
The fundamental principle encompasses two paramount requirements:
- Publicly traded corporations are mandated to disclose details regarding fabric cybersecurity incidents on amended Form 8-K (Item 1.05), providing transparency into the scope, timing, and impact of such breaches. Specifically, they must report the incidence of a material cybersecurity incident, including its material aspects, such as character, scope, and timing, as well as any material affect or potential material effect on the company’s financial condition and results of operations.
- Publicly traded corporations must disclose material cybersecurity incidents within four business days of determining them to be material, as mandated by regulatory requirements. The investigation must be completed within four enterprise days of the incident occurring or being discovered? This timing recognizes that, in many cases, an organization may not be able to determine materiality on the same day the issue is identified.
- Publicly traded corporations are mandated to submit yearly reports detailing their cybersecurity risk management processes, protocols, and governance structures through Form 10-K of the Securities and Exchange Commission’s (SEC) Regulation S-K Item 1016.
- Publicly traded companies must disclose how they administer processes to mitigate cyber threats, including information on which administrative roles or committees oversee these efforts, along with any relevant experience.
The ultimate rule’s disclosure requirement focuses on describing the board’s oversight of potential cyber threats and, if applicable, identifying any related committees or subcommittees that address such risks; further detailing how the board or such committee stays informed about these threats. The revised text is:
The ultimate rule further establishes requirements for disclosure by foreign private issuers.The company will incorporate machine learning algorithms to , and tagging new disclosures as inline structured knowledge.
As required by Regulation S-K, Article 8 and Form 20-F, all filers must include these disclosures in their annual reports for fiscal periods ending on or after December 15, 2023? In accordance with the requirements for incident disclosure set forth in Regulation 1.05 of Form 8-K and Form 6-K, all registrants excluding small reporting companies are mandated to commence compliance by December 18, 2023.
Smaller reporting corporations, defined as those with less than $250 million in inventory owned by public buyers or annual revenues below $100 million and inventory holdings under $700 million, will have an additional 180 days beyond the non-smaller reporting firm compliance date to implement Merchandise 1.05 of Type 8-K, now set for June 15, 2024.
While the SEC has not explicitly defined specific penalties for noncompliance with these new regulations, its enforcement authority extends considerable breadth. Firms may face fines up to $25 million, along with other consequences such as cease-and-desist orders or the suspension of their buying and selling privileges. Corporations that fail to disclose material cybersecurity incidents face an increased likelihood of litigation from customers and stakeholders? The Securities and Exchange Commission’s guidelines provide a robust framework for activist investors to hold accountable companies that neglect their responsibilities.
As your publicly-traded firm prepares for SEC rule adjustments, it’s crucial to conduct a comprehensive cybersecurity threat analysis of your IT infrastructure, establish robust incident response plans, and implement solutions providing real-time visibility into all assets, with accurate and timely reporting capabilities.
Sophos’ managed security portfolio, comprising Sophos MDR, Sophos Intercept X, Sophos XDR, and Sophos Firewall, enables seamless collaboration through shared real-time threat intelligence, fostering quicker, more informed, and synchronized detection, response, and overall cybersecurity.
These products are driven by Sophos X-Ops threat intelligence, a comprehensive process fueled by more than 500 security experts within SophosLabs, Sophos SecOps, and SophosAI. Sophos Central’s cloud-native platform simplifies options management, providing customers with actionable insights into their security posture, threat investigations, and cyber threats through comprehensive reporting, real-time alerts, and streamlined administration via a user-friendly interface, featuring weekly and monthly summaries.
Sophos offers a range of assets designed to aid your defense against ransomware attacks. You’ll discover an anti-ransomware toolkit, along with links to our trusted incident response partners and a collection of informative articles on ransomware-related topics. Particular recommendation on .
To learn more about Sophos’s intuitive security features or consult with your Sophos partner at this time, please visit the website.
; ,
Id.
at sections 2A3, Appendices B and C.
Id. §§ II.C.1.c: The references to specific data sets must be substantiated with credible sources.
§II.C.2.c: Ensure consistency in formatting and style throughout the entire section.
§II.C.3.c: Clearly define key terms or technical jargon used within this subsection.
Id. at §§ II.E.
Id. at §§ II.E.
