Two-Minute Tech
Three key ways: how SEC’s cyber security rule will likely affect US companies
SEC’s new disclosure requirements for cyber incidents will further accelerate an already robust environment.
- The US Securities and Exchange Commission (SEC) recently adopted a new rule requiring public companies to disclose material cyber security incidents and cyber security risk management, strategy and governance
- This rule, becoming effective on December 10, 2023, is intended to improve the informational flow about cyber security risks and incidents to US investors and the public, and will translate to greater compliance, regulatory and reputational implications for companies
- SEC’s new disclosure requirements for cyber incidents will further accelerate an already robust environment where cyber security spending is projected to grow at an annualised rate of more than 14%1
“Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.” (Gary Gensler, chair of the U.S. Securities and Exchange Commission, SEC).2
In order to profit from new cyber security rules’ triple benefits SEC chair Gary Gensler is alluding to, companies must:
- Take a more proactive approach to cyber security risk management, developing and implementing comprehensive programs designed to identify, assess and mitigate cyber risks.
- Disclose material cyber security incidents to the SEC within four business days of discovery requiring them to have a process in place (or installing a corresponding one) for quickly detecting and investigating cyber security incidents.
- Currently, it takes five days (or even less) for attackers to “exfiltrate” data from a company’s systems and about six days for companies to remediate the attacks3 . Industry advances – including a greater integration of artificial intelligence (AI) – have brought this remediation number down in recent years, but the SEC rule still results in a significantly quicker response than is the case today.
- Disclose information about their cyber security risk management, strategy and governance in their 10-K filings (annual financial reports filed with the SEC). This information will help investors to assess the company’s cyber security posture and make informed investment decisions. It will also point to companies which have insufficient cyber security measures in place, further facilitating the need for greater focus and spending on perimeter, network, endpoint, application and data security.
New SEC cyber security rule could be a growth catalyst for global cyber security market
According to recent estimates, the global cyber security market is expected to nearly triple in value, increasing from USD 221 billion in 2022 to USD 657 billion by 2030. The new SEC cyber security rule is likely to accelerate this growth further with some investment analysts suggesting that the requirement of stricter public company disclosures is one of the most important cybersecurity policies in history, further raising the priority and budget focus on security4.
Cyber security market revenue (2021-2030; USD billions)
Source: Statista; Next Move Strategy Consulting. Data as of August 2023. 2023-2030 figures are estimated
What are the implications for companies?
For all types of companies, the new SEC cyber security rule is likely to have a significant impact, including:
- Increased compliance costs. Companies will need to invest in new resources and technologies to comply with the new rule. This could include hiring additional cyber security staff, implementing new security controls and conducting regular risk assessments.
- Increased regulatory scrutiny. The SEC will be more closely scrutinising companies’ cyber security practices. This could lead to increased enforcement actions against companies that fail to comply with the new rule.
- Greater risk of reputational damage. A cyber security incident can damage a company’s reputation and financial performance, and the new rule will make it more likely that cyber security incidents will be made public.
- Increased shareholder activism. Shareholder groups are increasingly focused on cyber security risks. The new rule could lead more shareholders to demand that companies improve their cyber security practices.
The bottom line
The SEC’s new cyber security rule is a significant development that will have a major impact on companies and the cyber security industry. The rule will require companies to take a more proactive approach to cyber security risk management and to disclose material cyber security incidents to the SEC. This will create new opportunities for cyber security companies and raise awareness of the importance of cyber security.
1 Statista; Next Move Strategy Consulting. Data as of August 2023. 2023-2030 figures are estimated
2 https://www.sec.gov/news/press-release/2023-139. July 26, 2023
3 Palo Alto Networks, Unit 42 Cloud Threat Report – Volume 7. Data as of 2023
4 Morgan Stanley, July 26, 2023. SEC Steps Up Public Company Disclosure Requirements
Recent insights
-
Investing involves risk. The value of an investment and the income from it will fluctuate and investors may not get back the principal invested. Past performance is not indicative of future performance. This is a marketing communication. It is for informational purposes only. This document does not constitute investment advice or a recommendation to buy, sell or hold any security and shall not be deemed an offer to sell or a solicitation of an offer to buy any security. The views and opinions expressed herein, which are subject to change without notice, are those of the issuer or its affiliated companies at the time of publication. Certain data used are derived from various sources believed to be reliable, but the accuracy or completeness of the data is not guaranteed and no liability is assumed for any direct or consequential losses arising from their use. The duplication, publication, extraction or transmission of the contents, irrespective of the form, is not permitted. This material has not been reviewed by any regulatory authorities. In mainland China, it is for Qualified Domestic Institutional Investors scheme pursuant to applicable rules and regulations and is for information purpose only. This document does not constitute a public offer by virtue of Act Number 26.831 of the Argentine Republic and General Resolution No. 622/2013 of the NSC. This communication's sole purpose is to inform and does not under any circumstance constitute promotion or publicity of Allianz Global Investors products and/or services in Colombia or to Colombian residents pursuant to part 4 of Decree 2555 of 2010. This communication does not in any way aim to directly or indirectly initiate the purchase of a product or the provision of a service offered by Allianz Global Investors. Via reception of this document, each resident in Colombia acknowledges and accepts to have contacted Allianz Global Investors via their own initiative and that the communication under no circumstances does not arise from any promotional or marketing activities carried out by Allianz Global Investors. Colombian residents accept that accessing any type of social network page of Allianz Global Investors is done under their own responsibility and initiative and are aware that they may access specific information on the products and services of Allianz Global Investors. This communication is strictly private and confidential and may not be reproduced, except for the case of explicit permission by Allianz Global Investors. This communication does not constitute a public offer of securities in Colombia pursuant to the public offer regulation set forth in Decree 2555 of 2010. This communication and the information provided herein should not be considered a solicitation or an offer by Allianz Global Investors or its affiliates to provide any financial products in Brazil, Panama, Peru, and Uruguay. In Australia, this material is presented by Allianz Global Investors Asia Pacific Limited (“AllianzGI AP”) and is intended for the use of investment consultants and other institutional /professional investors only, and is not directed to the public or individual retail investors. AllianzGI AP is not licensed to provide financial services to retail clients in Australia. AllianzGI AP is exempt from the requirement to hold an Australian Foreign Financial Service License under the Corporations Act 2001 (Cth) pursuant to ASIC Class Order (CO 03/1103) with respect to the provision of financial services to wholesale clients only. AllianzGI AP is licensed and regulated by Hong Kong Securities and Futures Commission under Hong Kong laws, which differ from Australian laws. This document is being distributed by the following Allianz Global Investors companies: Allianz Global Investors GmbH, an investment company in Germany, authorized by the German Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin); Allianz Global Investors (Schweiz) AG; Allianz Global Investors UK Limited, authorised and regulated by the Financial Conduct Authority;in HK, by Allianz Global Investors Asia Pacific Ltd., licensed by the Hong Kong Securities and Futures Commission; in Singapore, by Allianz Global Investors Singapore Ltd., regulated by the Monetary Authority of Singapore [Company Registration No. 199907169Z]; in Japan, by Allianz Global Investors Japan Co., Ltd., registered in Japan as a Financial Instruments Business Operator [Registered No. The Director of Kanto Local Finance Bureau (Financial Instruments Business Operator), No. 424], Member of Japan Investment Advisers Association, the Investment Trust Association, Japan and Type II Financial Instruments Firms Association; in Taiwan, by Allianz Global Investors Taiwan Ltd., licensed by Financial Supervisory Commission in Taiwan; and in Indonesia, by PT. Allianz Global Investors Asset Management Indonesia licensed by Indonesia Financial Services Authority (OJK). 3130879