3 2 1… Impact! Early Results under the SEC’s Cybersecurity Governance Rule

In July 2023, the SEC adopted a new rule requiring disclosure of “material” cybersecurity incidents and detailed information on cybersecurity risk management, strategy and governance by public companies.

With the new rule taking effect in December and annual reports due for public release and consumption in the first few months 2024, companies are scrambling to closely review and hone their cyber programs to address these new reporting requirements. 

Early results are in

With several companies already reporting this past month – the two P’s are emerging as the key themes, namely preparedness and processes. The largest companies with the most robust cybersecurity programs generally have a full suite of pre-breach services (e.g., active monitoring and regular penetration testing) and post-breach protocols (e.g., incident response plans) to help plan in advance, identify and remediate vulnerabilities, and quickly react to a potential breach. 

Processes are equally important. Several companies mention in their disclosures threat-level quantification and benchmarking to report on the progress of their cyber programs to senior management teams and boards of directors. Additionally, companies such as United Rentals use the National Institute of Standards and Technology (NIST) framework to help organize and assess cybersecurity risks – a topic we have recently written about in the context of using NIST to assess “materiality” for SEC breach reporting purposes. These initial disclosures reinforce the importance of having a materiality analysis in place as part of your incident response plan that is practiced at least annually. 

How does your cybersecurity program stack up?

The new SEC requirements are intended to raise the bar on cybersecurity programs. With unprecedented levels of visibility into the cyber programs and practices of public companies – customers, management teams and boards of directors can quickly benchmark across business sectors and industry verticals to self-assess and make “apples to apples” comparisons between competing companies.

For example, if you are a CEO in the oil and gas services industry, does your company engage in continuous monitoring of cybersecurity threats? If not, you may now be at a competitive disadvantage to industry leaders like Schlumberger who have in place (and have now publicly disclosed) their 24/7 threat monitoring capabilities. These disclosures reveal what industry standards now look like – and serve as indicators on whether your company is meeting those standards. 

Prepare for impact on the supply chain

Where do private companies stand in all of this and how will it impact them? Even though they are exempt from SEC requirements, a critical part of the new disclosure rules is how public companies assess third-party cybersecurity risk and implement “controls” on their suppliers. 

If you are a supplier to large public companies and enterprise customers – prepare now for the downstream impact and assess the maturity of your cyber program. You should fully expect tougher cybersecurity contract requirements, more rigorous risk assessments and more scrutiny on your cyber program from your largest customers.