October is Cybersecurity Awareness Month, which must have influenced the SEC (Securities and Exchange Commission) when they set the deadline for their ruling on website cybersecurity.
While the ruling mostly applies to publicly listed companies, if you’re using third-party software or vendors, a cyberattack anywhere in your tech stack or supply chain could impact you, so it’s good to be aware of this ruling’s fairly significant implications for data protection, risk management, and transparency.
The lowdown on the SEC ruling
Back in March 2022, the SEC observed that cybersecurity incidents pose an ongoing (and escalating) risk to public companies, investors, and their customers and clients.
Just think of all the changes to the digital landscape that have happened over the last handful of years:
- digitalization of operations
- growth of remote work
- ability of criminals to monetize cybersecurity incidents
- use of digital payments
- increasing reliance on third-party service providers for IT and cloud services
Along with these risk factors, the costs of addressing cybersecurity incidents have increased, too. In 2023, the average cost of a data breach (in the US) totaled $9.48MM. [source]
Concerned about these trends and in an effort to protect American’s data, this new SEC ruling sets out to improve a) the assessment of security risks and b) the disclosure of incidents.
Key aspects of the SEC ruling (TL;DR)
Cybersecurity Risk Assessment
Public companies are now expected to conduct regular cybersecurity risk assessments and describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. They’re also required to demonstrate their board of directors’ proficiency in cybersecurity.
Disclosure of Cybersecurity Incidents
The SEC requires companies to disclose cybersecurity incidents promptly – generally speaking, within four business days. This includes breaches, data theft, ransomware attacks, or any event that impacts the organization’s operations or its investors. They’ll also be required to disclose the material impact or “reasonably likely material impact” of the incident.
Naturally, there’s a form in case of an event. (Item 1.05 Form 8-K, for all you form freaks.)
Why does it matter?
The ruling protects three key areas:
Investor Protection
Enhancing cybersecurity disclosures helps protect investors by providing a clearer picture of the risks and incidents that may affect a company’s financial health. If an investor has invested in a company that loses a chunk of money due to a cybersecurity issue, they deserve to know.
Market Confidence
Transparent cybersecurity practices contribute to market confidence. You know what doesn’t contribute to market confidence? Check any of the websites below to see just how many companies have exposed your data:
Risk Management
It compels companies to adopt a proactive approach to managing cybersecurity risks, ultimately reducing the likelihood of costly breaches which could (worst case) put a business under, expose sensitive information, and lose customers.
Where to begin?
We’ve got you. Check out our 15-step framework for building your digital fortress. But if we were to distill it down to a three-item checklist:
- Understand your compliance responsibility with the SEC ruling
- Create a cybersecurity plan and share it with your team
- Have a disclosure playbook in the event of a cybersecurity incident
In these digitally-oriented days, no one can afford to play roulette with the chances of a cybersecurity incident – start your compliance efforts ASAP so you can start building a track record in case you ever need to show one.
Wrapping it up:
The SEC’s ruling on cybersecurity for websites underscores the critical role cybersecurity should play in your digital strategy. No business, website, or customer is immune from a cyberattack – but everyone can prepare for them. At this point, we might as well consider digital disruptions a persistent foe that’s always lurking under the drawbridge.
We’re NOT a cybersecurity agency… but we are a senior-level, in-house team of senior-level technologists who stay current on what it takes to reduce our clients’ risk. So don’t lose sleep over cybersecurity – we’re here to help. We’ve completed cybersecurity compliance for Chipotle, ecommerce, and venture capital clients, and security is baked in to everything we do. Have questions? Reach out to aaron.copeland@voltage.com.
Disclaimer: None of the information contained in this post should be considered legal advice.
Go deeper:
