Two-Minute Tech
Three key ways: how SEC’s cyber security rule will likely affect US companies
SEC’s new disclosure requirements for cyber incidents will further accelerate an already robust environment.
- The US Securities and Exchange Commission (SEC) recently adopted a new rule requiring public companies to disclose material cyber security incidents and cyber security risk management, strategy and governance
- This rule, becoming effective on December 10, 2023, is intended to improve the informational flow about cyber security risks and incidents to US investors and the public, and will translate to greater compliance, regulatory and reputational implications for companies
- SEC’s new disclosure requirements for cyber incidents will further accelerate an already robust environment where cyber security spending is projected to grow at an annualised rate of more than 14%1
“Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.” (Gary Gensler, chair of the U.S. Securities and Exchange Commission, SEC).2
In order to profit from new cyber security rules’ triple benefits SEC chair Gary Gensler is alluding to, companies must:
- Take a more proactive approach to cyber security risk management, developing and implementing comprehensive programs designed to identify, assess and mitigate cyber risks.
- Disclose material cyber security incidents to the SEC within four business days of discovery requiring them to have a process in place (or installing a corresponding one) for quickly detecting and investigating cyber security incidents.
- Currently, it takes five days (or even less) for attackers to “exfiltrate” data from a company’s systems and about six days for companies to remediate the attacks3 . Industry advances – including a greater integration of artificial intelligence (AI) – have brought this remediation number down in recent years, but the SEC rule still results in a significantly quicker response than is the case today.
- Disclose information about their cyber security risk management, strategy and governance in their 10-K filings (annual financial reports filed with the SEC). This information will help investors to assess the company’s cyber security posture and make informed investment decisions. It will also point to companies which have insufficient cyber security measures in place, further facilitating the need for greater focus and spending on perimeter, network, endpoint, application and data security.
New SEC cyber security rule could be a growth catalyst for global cyber security market
According to recent estimates, the global cyber security market is expected to nearly triple in value, increasing from USD 221 billion in 2022 to USD 657 billion by 2030. The new SEC cyber security rule is likely to accelerate this growth further with some investment analysts suggesting that the requirement of stricter public company disclosures is one of the most important cybersecurity policies in history, further raising the priority and budget focus on security4.
Cyber security market revenue (2021-2030; USD billions)
Source: Statista; Next Move Strategy Consulting. Data as of August 2023. 2023-2030 figures are estimated
What are the implications for companies?
For all types of companies, the new SEC cyber security rule is likely to have a significant impact, including:
- Increased compliance costs. Companies will need to invest in new resources and technologies to comply with the new rule. This could include hiring additional cyber security staff, implementing new security controls and conducting regular risk assessments.
- Increased regulatory scrutiny. The SEC will be more closely scrutinising companies’ cyber security practices. This could lead to increased enforcement actions against companies that fail to comply with the new rule.
- Greater risk of reputational damage. A cyber security incident can damage a company’s reputation and financial performance, and the new rule will make it more likely that cyber security incidents will be made public.
- Increased shareholder activism. Shareholder groups are increasingly focused on cyber security risks. The new rule could lead more shareholders to demand that companies improve their cyber security practices.
The bottom line
The SEC’s new cyber security rule is a significant development that will have a major impact on companies and the cyber security industry. The rule will require companies to take a more proactive approach to cyber security risk management and to disclose material cyber security incidents to the SEC. This will create new opportunities for cyber security companies and raise awareness of the importance of cyber security.
1 Statista; Next Move Strategy Consulting. Data as of August 2023. 2023-2030 figures are estimated
2 https://www.sec.gov/news/press-release/2023-139. July 26, 2023
3 Palo Alto Networks, Unit 42 Cloud Threat Report – Volume 7. Data as of 2023
4 Morgan Stanley, July 26, 2023. SEC Steps Up Public Company Disclosure Requirements