Contact Us

SEC Imposes Tougher Cybersecurity Rules as Breaches Escalate

CYBERSECURITY
Apr 2, 2024

Gary Gensler’s Securities and Exchange Commission (SEC) has striven to be tough on the bad actors of the online world. Now, the SEC is enacting tough new measures to combat cyberattacks.

In Brief

  • Cyberattacks are a growing danger for firms and exchanges of all profiles, no matter where they may operate.
  • The Securities and Exchange Commission aims to force registrants to be transparent about the strength of their defenses.
  • But are US regulators making an example of private firms while ignoring glaring gaps at the government level?
  • PROMO
     

    Gary Gensler’s Securities and Exchange Commission (SEC) has striven to be tough on the bad actors of the online world. Now, the SEC is enacting tough new measures to combat cyberattacks.

    Under the new rules, registrants will have to be more forthcoming about cyber breaches they undergo. They will face stiffer reporting requirements. Including yearly disclosures to the SEC about the systems and protocols they have in place to thwart breaches. There can be no doubt of the severity of cybersecurity vulnerabilities. Yet some may still question the SEC’s priorities.

    SEC Reporting Requirements Are Strict

    Gensler’s regulators mean business and have codified the new policy with a written requirement. When registrants fill out Form 8-K, they will find a new item, 1.05. There they will have to provide details of any cyber incident with what the agency would consider a “material impact.”

    The form will require information on “the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant,” according to the SEC’s announcement.

    Registrants will have four days after the incident to provide a 1.05 filing with the requested information. Although the SEC may allow more time when disclosure could have national security implications.

    Put simply, the rules of the road are different now. You cannot suffer a breach of your cyber defenses and carry on as if nothing happened that might be of concern to regulators or to your investors.

    Regulation S-K Item 106 imposes further requirements. Firms and exchanges will have to provide a lot of data on the systems they have in place to spot and thwart cyber threats. Including their board of directors’ level of attention to the issue.

    Annual reports will have to offer all these disclosures on Form 10-K. Foreign private issuers face similar, but separate, disclosure requirements.

    Cyberattacks have led to massive losses, and cryptocurrency exchanges are among the hardest hit. Hence the new SEC reporting requirements. Source: Chainalysis.
Recommend