The SEC’s changing cyber goalposts

What we know

Cyber security regulation is an intensely scrutinised policy area across the globe, including the EU with the revision of the NIS Directive.

The US SEC is becoming a key voice in the addition of cyber rules and regs that will govern reporting requirements for cyber incidents and as a result determine a greater understanding of what cyber events may be ‘material’.

They have recently ruled that relevant businesses that fall under the purview of the SEC must report material cyber incidents within 4 days. The four-day timeline may be delayed if the Attorney General determines that disclosure would jeopardise national security.

Why it matters

There are several benefits to increasing cyber security regulation including greater clarity for investors, raising the bar on cyber security controls, increased investment in understanding and managing cyber risk, and more accountability.

However, accountability has taken shape beyond fines. The SEC recently ruled that the SolarWinds CISO is to be held liable for the poor compliance with the SEC’s requirements including a lack of depth and detail on their disclosure forms.

Furthermore, for larger companies, with greater resources, cyber events can be weathered, and legal teams can play a central role. Yet, for smaller companies with fewer resources, not only can a cyber event and remediation damage the company severely, but in the long term the impact for investors may be catastrophic.

This has led to some backlash over the new rules that include the impacts it will have on investor relationships and premature disclosure, but the reality is that these rules are inevitable, and it won’t be long until other countries or trading blocs catch up.