For some public companies, compliance with the new rule could mean significant operational burdens.
As leading cybersecurity attorneys, we understand the challenges facing companies in an ever-evolving digital environment. Luckily, we have the expertise, resources and sector-specific knowledge to provide you with full-spectrum protection. Schedule a free consultation to learn more.
As consumers, we trust that companies who have access to our personal information and financial data have the necessary tools to keep them safe. Unfortunately, leak after leak has demonstrated that companies aren’t always equipped to fulfill their data privacy promises.
In an effort to bring more transparency to consumers, the U.S. Securities and Exchange Commission (SEC) recently finalized new rules for disclosing cybersecurity incidents. As of July 26, 2023, public companies are required to report material cybersecurity incidents, as well as to provide annual updates on cybersecurity risk management, strategy and governance.
Although the SEC’s new rules offer potential benefits to consumers, it may also present significant operational burdens for public companies trying to coordinate both state and federal notifications simultaneously after succumbing to a cybersecurity incident. If you’re a stakeholder in a public company or own a business with cybersecurity needs, these new rules carry implications for you, too.
Luckily, you don’t have to navigate the complexities of SEC rules and regulations alone. As leading cybersecurity and data privacy attorneys in Seattle, we have the expertise and resources you need to stay abreast of data privacy laws and your compliance obligations.
This article will explain everything you need to know about the SEC’s new cybersecurity rule for public companies, including key consequences for those companies, the meaning of material incidents and how every business can benefit from taking robust preventative measures to prevent cybersecurity attacks.
At By Design Law , we understand that your specific cybersecurity and data protection needs are dictated by countless factors. That’s why we design and each every legal strategy around the unique details of your individual circumstances. Call us at (206) 593-1519 to learn more.
How Does the SEC’s New Rule Affect Public Companies?
Before diving into the specifics of how the SEC’s new rule affects public companies, it’s important to understand a few of the regulations that were already in place. Even before the new rule, public companies were required to disclose material events, meaning that they were obligated to make important information (as it pertains to a company’s financial health) available to the public.
According to the SEC’s 2018 interpretive guidance , cybersecurity incidents were no exception when it came to disclosure requirements for material events. However, the final rules mark a significant expansion in terms of the specificity with which public companies must provide in their disclosures, and adherence to them may require substantial overhauls for many businesses.
Here are some of the most notable impacts of the SEC’s new rules on public companies:
- Increased reporting obligations . Under the new rules, public companies are required to report incidents when there is a reasonable belief that the incident has caused or may cause a material impact. To determine materiality, a company needs to rapidly analyze a number of factors, including the magnitude of the incident and its potential impact on the company’s finances, operations and reputation.
- Timely disclosures . Public companies must share cybersecurity incidents in a timely manner—typically within four business days of realizing the incident meets the reporting threshold. Meeting these obligations will require public companies to develop rapid incident assessment and reporting protocols.
- New response processes . In order to identify, assess, address and report cybersecurity incidents in the timeframes outlined by the SEC, many companies will need to develop new, cross-departmental response processes.
- Legal and regulatory compliance risks . Public companies that fail to comply with the new rules for reporting cybersecurity incidents may face enforcement actions by the SEC. They may also encounter legal liabilities if their non-compliance results in losses to investors and stakeholders.
- Challenges in reputation management . Public companies that promptly disclose cybersecurity incidents are typically viewed more favorably by both investors and the general public, and understandably so. However, the requirement for prompt disclosure under the new rules may put certain companies at a disadvantage, particularly ones without the pre-existing infrastructure and operational capacity to respond as quickly.
- Additional costs and resources . Achieving compliance under the SEC’s new rules may require some companies to divert resources to incident response teams, whether or not they can afford to do so.
- Company relationships with third-parties . Public companies commonly rely on third-party service providers and vendors. Ensuring that third-parties are compliant in terms of the SEC’s new rules has the potential to strain these relationships and divert additional company resources to the education and assessment of third-party compliance.
Despite its length, this is not a comprehensive list of the ways in which the SEC’s new rules for incident reporting may end up affecting public companies. Ultimately, compliance with reporting regulations will require companies to strive for continuous, exponential improvement in their abilities to detect, assess, control, mitigate, report and respond to cybersecurity events.
By Design Law: Trusted Cybersecurity Lawyers in Seattle
Cybersecurity threats aren’t going away anytime soon. As a result, achieving long-lasting business success will require companies to adapt to a fast-changing and unpredictable marketplace. However, ensuring compliance with rules and regulations is a tall order in the absence of a dedicated legal partner.
At By Design Law , we’re proud to call ourselves experts in the niche and increasingly crucial field of cybersecurity and data privacy law. Maintaining full-spectrum digital protection isn’t easy, especially when you don’t understand the legal ramifications of failing to do so. Fortunately, we understand the specific needs and legal requirements as they pertain to businesses in various sectors and can provide comprehensive legal assistance in achieving top-notch cybersecurity.
Ready to get started? Schedule a free case evaluation or call our law office at (206) 593-1519 to get started.
