View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 27, 2023updated 28 Jul 2023 10:28am

New SEC cybersecurity reporting rules may force the UK to follow suit

New regulations will force businesses to disclose incidents faster. Not everyone is a fan.

By Claudia Glover

Public companies in the US will be forced to disclose cybersecurity incidents within four days under new rules proposed by financial regulator the Securities and Exchange Commission. Businesses will also be obliged to include details of their cybersecurity set-up in their annual reports, as well as detailing the boardroom expertise they have when it comes to security.

The SEC released rules forcing publicly listed companies to shore up their cybersecurity. (Photo by Kristi Blokhin/Shutterstock)

Experts have told Tech Monitor this may nudge UK regulators into being more prescriptive in how they apply rules such as the EU’s NIS2 directive, which is currently open to different interpretations of what level of security is required.

Why the SEC is changing cyberattack disclosure rules

The SEC rules mandate listed businesses to disclose an incident within four days unless it can prove the public disclosure of such details may pose a public danger, in which case it will have 60 days to comply. 

From December, they will also be required to outline their risk management, cybersecurity governance and strategies to boost cybersecurity posture in their annual reports.

The most controversial element of the new rules may be the stipulation that businesses must share what oversight of cyber risk board members have. Item 106 of the new regulations says companies must describe their directors and management’s “role and expertise in assessing and managing material risks from cybersecurity threats”.

By putting the rules in place, the SEC believes it is giving more security to investors. “Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors,” said SEC chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors.”

Gensler added that he believes “companies and investors alike would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies and the markets connecting them.”

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

What do businesses make of the new SEC regulations?

While the cybersecurity community has welcomed tighter regulation in the face of major third-party cyberattacks such as the Log4j breach and the recent MOVEit Transfer vulnerability attacks, which have impacted some of the biggest listed companies, concerns have been raised about the burden the rules will place on corporations.

The New York Stock Exchange argues the information being demanded by the regulator is too detailed and will result in “granular disclosures of organisational minutiae required”, resulting in “overly detailed filings that have little utility to investors”. 

The NYSE says demanding information on the cybersecurity expertise of upper management could give investors the wrong impression of a company’s cybersecurity abilities. “The absence of a cybersecurity expert on a company’s board is [not] necessarily the fatal flaw that required disclosure may implicitly suggest to investors,” it says.

Security professionals surveyed by vendor Proofpoint say their organisations are ready to work more closely with regulators. According to the company’s 2023 voice of the CISO report, 80% of respondents agree that organisations should be required to report a material cyberattack to regulators within a reasonable time frame, while only 6% disagree. “This suggests that boards are now much more willing to work together with regulators”, explains Proofpoint’s resident CISO, Andrew Rose.

A separate survey of board members conducted by Proofpoint found that directors are most concerned with internal data becoming public, reputational damage, loss in revenue, and disruption to operations, all of which could be minimised through increased regulation.

Will the UK strengthen cybersecurity regulations?

For these reasons, the new rules could not have come at a better time, says Edgard Capdevielle, CEO of security company Nozomi Networks. “Cyberattacks are outnumbering and outmanoeuvring even prepared defences,” he says. “It’s time for greater accountability, [and] the introduction of these SEC cybersecurity rules implies a significant and necessary increase in board accountability.” 

The new regulations will bring structure and consistency in the US and will likely influence regulators globally, adds Proofpoint’s Rose. “This can only be good news,” he says. “However, it’s unlikely to have much of an impact across large EU or UK-based organisations which are already complying with conditions from the GDPR and NIS2 regulations.”

The new SEC rules could have an influence on how other suites of regulations are implemented, however, suggests Andy Norton, European cyber risk officer at Armis. “With NIS2, requirements are in place to disclose incidents within a time frame and additionally to demonstrate good cyber risk management controls,” he explains. “In the UK, regulators are looking to be more prescriptive with the controls organisations need to implement, as currently there is a wide interpretation of what constitutes appropriate and proportionate cyber capabilities.”  

This discrepancy can lead to companies with low levels of security slipping through the cracks, “while claiming the same level of assurance”, he says. “The UK could be pushed to be more prescriptive to enforce a higher systemic level of security, regardless of the individual law.”

But regulation will not be enough to protect companies against all risk, adds Capdevielle. “Cybersecurity is an ongoing process that requires constant vigilance and adaptation to the evolving threat landscape,” he says. “Board accountability, however, will strengthen this vigilance.”

Read more: CISO on the board – how the role is evolving in the new era

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.