The much-anticipated cybersecurity rules by the US Securities and Exchange Commission (SEC) for public companies have arrived, signaling a significant step forward from the proposed rules released in March 2022. These final rules, effective July 26, 2023, introduce new obligations that public companies must adhere to, promising a more secure and transparent corporate landscape. However, these regulations bring significant compliance challenges and litigation risks. Public companies now face the need to assess their internal disclosure controls, enhance their cybersecurity risk management, and invest effort in drafting their cybersecurity disclosures.
In this article, we explore these new SEC rules, the potential effects they may have and how Flowmon can help public companies navigate this intricate landscape. The information provided in this post does not, and is not intended to, constitute legal advice. Any reader who needs legal advice should contact their counsel to obtain advice with respect to any particular legal matter. No reader, user or browser of this content should act or refrain from acting on the basis of information herein without first seeking legal advice from counsel in their relevant jurisdiction.
Scope of the New SEC Cybersecurity Rules
The SEC's final cybersecurity rules are a significant milestone, making it mandatory for public companies to:
- Report Material Cybersecurity Incidents: Public companies are required to report material cybersecurity incidents within four business days after determining their materiality. The definition of a "cybersecurity incident" now encompasses unauthorized occurrences that jeopardize information systems' confidentiality, integrity or availability, with a broader interpretation for inclusivity.
- Describe Cybersecurity Risk Management Processes: Companies must describe their processes for assessing, identifying and managing material risks from cybersecurity threats. This description should include whether such risks are reasonably likely to materially affect the company's business strategy, operations or financial condition.
- Disclose Cybersecurity Governance Practices: Public companies must reveal their cybersecurity governance practices, including how the board oversees cybersecurity risk and how management manages, monitors, detects, mitigates and remediates cybersecurity incidents.
New SEC Rules Adoption Timeline
The announced date for the new SEC rules is July 26, 2023. The effective date for cybersecurity incident reporting obligation is 90 days after publication in the Federal Register or by December 18, 2023, whichever is later. Smaller reporting companies have 180 days to comply. Other disclosures are to be included in annual reports for fiscal years ending on or after December 15, 2023.
Flowmon-Powered SEC Cyber Compliance
Flowmon's Network Detection and Response (NDR) solutions play a pivotal role in helping companies meet the SEC's stringent requirements:
- Reporting Material Cybersecurity Incidents: Flowmon enables public companies to swiftly assess the nature, scope and timing of cybersecurity incidents, helping with accurate reporting of their material impact. This real-time visibility helps to comply with the tight deadlines imposed by the SEC.
- Cybersecurity Risk Oversight at the CxO Level: Flowmon provides context-aware data, offering valuable insights through dashboards and reports. This empowers CxO-level oversight to communicate with their board about cybersecurity risks, improving management awareness about potential threats and vulnerabilities.
- Increased Visibility into Third-Party Systems: Flowmon's network-wide observability enhances public companies' ability to detect and mitigate incidents stemming from supply chain cyber risks. This enhanced visibility is crucial in an interconnected business landscape where third-party risks are on the rise.
- Disclosures of Cybersecurity Risk, Management, and Strategy: Flowmon enables public companies to demonstrate their use of advanced detection and response capabilities. This not only helps demonstrate compliance but also builds confidence among stakeholders regarding robust cybersecurity strategies.
- Forensic Analytics and Threat Hunting Capabilities:
Flowmon delivers primary data and a history of network activity without sampling. This invaluable resource allows customers to perform retrospective in-depth forensic analysis of incidents. By leveraging these findings, companies can enhance their prevention strategies, proactively identifying and addressing potential threats before they escalate.
In conclusion, the SEC's new cybersecurity rules require greater transparency and accountability for companies. Flowmon's Network Detection and Response solutions can serve as a critical ally in assisting public companies to not only meet these requirements but also to fortify their cybersecurity resilience. By implementing Flowmon NDR, they can better navigate the intricate SEC landscape, assisting to comply but also increasing confidence of their stakeholders.