New US cyber security breach rules

23 February 2024 / Insight posted in Article

The US Securities and Exchange Commission (SEC) introduced a new ruling, effective from 15 December 2023, stipulating that publicly owned companies operating in the US must report “material” cyber incidents within 96 hours. 

If you are operating your business in the US, this affects you. Although the SEC rules are aimed at publicly listed companies, most public companies rely on smaller third-party software and supply chain companies. A cyber attack at any point along that supply chain could have a material impact. On that basis, such third-party companies (whether public or not) should also consider themselves party to the new regulations. 

Organisations failing to comply could face major consequences, courtesy of the SEC. The new measure requires public companies to disclose within four days all cyber security breaches that could affect their bottom line.  

Essentially, this is designed to protect investors and it is hoped that the public will be made aware of data breaches more quickly. The current average US cyber incident/data breach reporting timeline is 80 days. The SEC ruling may prove to be a conduit to shortened reporting timelines and increased cyber incident transparency. 

Under the new SEC rules, public companies must now follow these specific cyber security disclosure guidelines: 

  • Disclose cyber security incidents within four business days (from the point a breach is determined to be material) and describe their nature, scope, timing and material or likely material impact. 
  • Detail processes for assessing, identifying and managing material risks from cyber security threats. 
  • Describe the board of directors’ oversight of risks from cyber security threats and management’s role and expertise in assessing and managing material risks. 

The key takeaway from this new ruling, is the importance of (cyber) incident response plans for all organisations. 

Research by an US information security company, FRSecure determines that only 45% of US companies have incident response plans in place. That number drops to 40% for companies that have 100 employees or fewer.  Surprisingly, that figure drops further to 38% for companies with more than 500 employees – the very types of companies that are most likely to be publicly traded. 

The SEC ruling will hopefully motivate these organisations to prepare adequate incident response plans (IRPs), facilitating swift reporting of incidents. 

If your US organisation currently has no cyber incident response plan in place, you should create one as a matter of priority.  Your plan should include key cyber protection elements such as preventative measures, improved detection and response capabilities, containment strategies, eradication strategies, risk assessment updates and a robust (tested) plan for the recovery of data and restoration of your systems. 

For advice and support on any of the issues discussed, please do not hesitate to contact the Moore ClearComm team.

Get in touch

How did you hear about us?