What the SEC’s New Cybersecurity Regulations Really Mean

Last July, the U.S Securities and Exchange Commission (SEC) adopted strict new cybersecurity and incident disclosure rules, in hopes of keeping businesses and their customers safe amid rapidly evolving cyber-threats. Taking effect on December 18th 2023, the new regulations place unprecedented emphasis on robust incident detection, analysis, and reporting.

The regulations apply to all companies filing documents with the SEC including US entities and private foreign issuers (with exceptions for companies with less than $100 million in annual revenue). The new rules have brought public companies under heightened scrutiny, citing the interests of shareholders and investors. The SEC announcement compared the impact of a high profile hack to that of a factory fire — a catastrophic event resulting in significant material losses. 

For some companies, the regulations appear unnecessarily time consuming or overly critical of internal operations — indeed, in the wake of a cyber incident, organizations could become overwhelmed as they work not only to repair damage and patch breaches, but also to remain compliant under tight deadlines. Fortunately, there are straightforward ways for security teams to improve their overall cyber preparedness, making it easier to comply with these regulations. This, in the long run, will make data more secure and keep businesses safer in a rapidly evolving digital age.

Requirements

According to the regulations, all eligible companies, or “registrants,” are obligated to disclose any cybersecurity incident deemed of material significance. This not only includes reporting on the nature of the incident and any noteworthy impacts or losses, but also detailing the process through which companies identified, assessed, and managed any relevant risks.

Furthermore,  relevant incidents must be disclosed within a strict 4-business-day window. It is important to mention that this deadline refers to 4 days after determining that a cybersecurity incident is of material note, rather than after the incident occurred.

Implications

Since the regulations first took effect, compliance deadlines have been heavily enforced. Companies must therefore be able to enact swift detection, analysis, and reporting regarding data breaches or they risk government sanctioned penalties, compounding the already detrimental effects of the incident itself.

Companies with a reactive approach to cybersecurity will struggle to be compliant — they will be more prone to attacks in the first place, and it will be that much harder to assess any given cyber incident. A proactive approach also calls for organizations to set clear protocols, specifically for SEC-compliant reporting, so they can meet regulation deadlines without sidelining other critical operations.

The ability to meet these requirements transparently and responsibly will help maintain shareholder and investor trust even at a difficult moment for the company. On top of incurred fines and penalties, failing to report within regulatory timelines could have dire financial and reputational repercussions.

Since different cyber threats may be more or less difficult to identify and report, companies must do their best to secure against the widest possible breadth of threats.

For example, data breaches — concerted attempts to pilfer sensitive data – may be easier to identify and report in a timely manner than a data leak, a passive exposure of data due to insufficient security, which companies may not even be aware of until it becomes an issue. Indeed, many organizations have more unprotected data than they realize, but often, little is done to secure it against leakage.

Compromised passwords are a common example of overlooked risks that can lead to both data breaches and data leaks. Whether through negligence, over-simplicity, or through hacked employee PII, access to employee credentials offers easy entrance to company data without raising any immediate security flags. 

Another common threat vector is insufficient security in software applications, especially third-party services — a concern that is growing alongside the rise of Generative AI. Indeed, GenAI has ushered in a new era of data security risks with widespread, unauthorized usage of a myriad of GenAI tools paving the way to Shadow Data proliferation and the likelihood of data leaks. While companies are understandably eager to adopt GenAI tools, their security teams may not be sufficiently equipped to handle the new slew of resultant risks.

As companies continue to navigate these new regulations, we will hopefully see more of them establishing clear internal protocols and leadership hierarchies for cyber preparedness. Indeed, greater onus will (and should) fall on company leadership, management, and boards of directors to demonstrate to the SEC, as well as shareholders and investors, that they are actively working to mitigate and minimize cyber threats.

Tips, Best Practices, and Flow’s Solution

In light of the short reporting window, companies must focus on proactive prevention. Without it, a compromised organization will have to work tenfold to triage in the wake of a hack, while also scrambling to remain compliant with SEC regulations.

Proactive prevention entails more than simply relying on posture management or risk analysis — it must include an organization-wide security foundation that strives to secure data in all its forms and across all environments, in runtime as well as when it is static. Consider that a database that is fully secure when data is at rest or in storage does not ensure that the data will be secure from leaks or breaches when in motion between databases and applications.

Companies which are not already doing so must enforce clear organizational policies around data protection, educate employees on the implications of the new regulations, and continually monitor and adapt these policies as threat vectors expand and regulations evolve. These policies and procedures must extend to third-party services as well as internal infrastructure.

Finally, enterprises should invest in solutions that bolster cyber-threat response preparedness and can protect data itself, not just the infrastructure. Flow Security, a data runtime protection platform, offers a proactive solution that is capable of providing organizations with protection, prevention, and enforcement needed to effectively comply with the new SEC regulations.

Flow secures data at rest, in use, and in motion, broadening the level of data control and security for all instances where data might be susceptible to leaks or breaches. This unique data-runtime solution discovers, classifies, and secures sensitive data, lowering the likelihood of a material data breach in the first place and making it easier to report within the regulatory time framework in the case of a cyberattack

It is crucial for company security to remember that data is always in motion, raising the risk of data breach or exposure. As such, a static understanding of overall cybersecurity will never be enough, particularly as regulations increasingly aim to eliminate insufficient corporate security practices. 

By ensuring that organizational data is always secured in all forms and environments, Flow Security leaves no data unprotected or unaccounted for, minimizing the potential of both breaches and leaks while bolstering compliance with regulations, today and tomorrow.