As of June 15, 2024, smaller reporting companies must comply with new Securities and Exchange Commission (SEC) breach disclosure rules. Under the rules, publicly traded companies must report a security incident within four days after determining it is “material.” An incident is material if “there is a substantial likelihood that a reasonable investor would attach importance” to it.
Larger public companies were required to comply with this new rule as of Dec. 18, 2023. Smaller reporting companies were given an additional 180 days to comply. They are defined as those with “a public float of less than $250 million” or “with annual revenues of less than $100 million for the previous year and … a public float of less than $700 million.”
The new rules are designed to ensure that public companies consistently report security incidents on Form 8-K, which is used to inform investors of “material events” that could impact stock performance. A 2019 Bitglass study found that a security breach reduced a company’s stock price by 7.5 percent on average.
What Is a Material Incident?
The fact that smaller reporting companies are included in the SEC rules points to the critical role they play in the supply chains of larger companies. If a smaller company suffers a cyberattack, it could have serious consequences for a larger company down the line. The rules could even affect privately held companies that are the source of a security incident impacting a larger supply chain partner. The larger, publicly held company could demand a detailed report to help it determine the materiality of the breach.
The new rules define a cybersecurity incident broadly as “any unauthorized occurrence … that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” It could include any incident that impacts revenue or causes business disruption, even if sensitive information isn’t compromised.
Companies must determine an incident’s materiality “as soon as reasonably practicable” after discovering it. If a company initially finds that an incident is not material, it must continue to monitor its long-term impact. Furthermore, several smaller incidents could be material when considered as a whole.
What Is an Incident Management Plan?
Companies need a robust incident management plan to meet these requirements. The plan should include procedures for detecting, assessing and mitigating cyberattacks. IT teams must have tools and processes for gathering and correlating information from multiple sources across the IT environment. This will enable them to spot unusual activity and quickly determine whether it is a security incident.
If a security breach is identified, the IT team must take steps to contain the damage as quickly as possible. This could involve disrupting the cyber “kill chain” or isolating affected systems. Once the IT team has contained the threat, they should work to neutralize it and restore systems and data.
The incident management plan should also include procedures for gathering data about the incident for regulatory reporting. To comply with the SEC rules, organizations must provide a summary of the incident and its scope, including when it was discovered, whether it has been remediated and whether data was compromised.
How Verteks Can Help
Many smaller organizations will find it difficult to meet these requirements. They simply lack the IT resources to monitor the IT environment around the clock and perform the analysis needed to identify security incidents.
Verteks managed services include 24x7 monitoring to detect threats before they become security incidents. We also provide proactive management to ensure your IT environment is up to date and performing optimally. Let us help you boost your security posture and prepare to meet the latest regulatory requirements.