New SEC cybersecurity rules impact public companies and also private businesses considering IPOs

The Securities and Exchange Commission (SEC) has adopted rules requiring public companies to disclose all cybersecurity breaches within four days that could affect their bottom lines. Delays will be allowed if immediate disclosure poses serious national security or public safety risks.

The new rules, announced July 26, 2023, also require publicly traded companies to disclose information about their cybersecurity risk management and executive expertise in the field annually, according to The Associated Press (The AP). The goal of the new rules is to protect investors.

Most public companies will be required to include an incident disclosure on their Form 8-K filed with annual reports for fiscal years ending on or after Dec. 15, 2023. While some critical infrastructure operators and all healthcare providers are legally required to report breaches, no federal breach disclosure law has existed until now, according to The AP.

Additionally, the new regulations require disclosure on Form 10-K of any material weaknesses of a company’s process to assess, identify and manage material risks. This will require companies to perform a risk assessment and implement a cybersecurity program.

Implications of the new rules are significant, says Mazars National Risk Consulting Leader, Paul Truitt.

“There are many smaller publicly traded organizations that may not have a formal cybersecurity program in place,” he explains. “They might have cyber breach insurance, which likely required some form of self-assessment or may have some existing compliance requirements to assess against. But developing a formal cybersecurity strategy that meets these requirements, appropriately protects the organization’s sensitive data and is still cost-effective is where many smaller publicly traded organizations will likely need an outside firm's help.

“And then you have all of the downstream implementation activities related to the program that you develop,” Truitt adds. “How do I put enforceable policies in place? How do I implement network segmentation without creating a business impact? Is adequate endpoint software in place? How do I respond to a security threat or incident? All of these concerns are much easier and many times remediate in a more cost-effective way by utilizing outside expertise.”

The new rules also will impact privately held companies considering IPOs, says Mazars National Sensitive Data/Cybersecurity Compliance Leader Alan Gutierrez-Arana.

“Many times they don't have anyone at the board level with cybersecurity expertise or background, and they don't establish communities for risk management or cybersecurity,” Gutierrez-Arana says. “These new regulations are very specific about cyber governance and reporting at the board level.

“And what is the board's oversight of cybersecurity risk?” he adds. “Now they need to disclose cybersecurity incidents in a set of specific forms and the 10-K. Companies also need to specify which activities the board needs to take to ensure appropriate cybersecurity risk management activities are in place.”

The four-day window for reporting doesn’t begin until companies have determined a breach is material. Breach disclosures can be delayed if the US Attorney General determines they would “pose a substantial risk to national security or public safety” and notifies the SEC in writing. The delay can be extended beyond 60 days only under extraordinary circumstances.

The rules were first proposed in March 2022, when the SEC determined that breaches of corporate networks posed an escalating risk as their digitization of operations and remote work increased — and the cost to investors from cybersecurity incidents rose.

In a new report published by IBM, cited by The AP, researchers found organizations now pay an average of $4.5 million to deal with breaches — a 15% increase over the past three years. Ponemon Institute researchers also found that impacted businesses typically pass the costs on to consumers, who may also be victims of personal information theft in a breach.

Learn how Mazars can help

For more information about how Mazars can help your organization meet these new SEC cybersecurity regulations, please contact us.

The information provided here is for general guidance only, and does not constitute the provision of tax advice, accounting services, investment advice, legal advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisers.