How The New SEC Cybersecurity Rules Could Reshape Private Sector Approach to Security

The SEC's new rules requiring public companies to disclose cyber incidents and strategies will likely send ripples into the private sector. While not yet directly affecting private companies, these rules could reshape expectations and practices in subtle but important ways.

For starters, the increased focus on cyber risks in the public sphere could heighten awareness across the private sector. Though not formally bound by the SEC rules, private companies may still reassess their own cyber preparedness as the issue grabs headlines. Studies show greater awareness makes organizations more likely to implement response plans [i].

Investor expectations could evolve too. As shareholders get more transparency from public companies, they may demand the same from private organizations, especially pre-IPO unicorns. Surveys indicate investors crave more insight into portfolio companies' cyber policies [ii]. However, resource constraints may hinder private companies from fully meeting these expectations.

The public disclosures also offer private companies a model for best practices they can benchmark against and use to bolster their own defenses. Of course, smaller private companies may struggle to implement the same robust measures as say, a Fortune 500 leader.

While currently limited to public companies, regulatory expansion remains possible as cyber concerns grow. Global regulatory bodies are already considering ways to extend cyber rules to private players [iii]. Still, new compliance costs could disproportionately affect smaller private companies.

In M&A deals, buyers may give sharper scrutiny to target organizations' cyber risk disclosures during due diligence. Studies show acquirers have nixed deals over cyber issues [iv]. But the actual impact likely depends on the industry and specific risks involved.

So while not yet directly imposed on private companies, the SEC rules could have meaningful indirect effects by raising awareness, elevating expectations, and providing cybersecurity benchmarks. Private organizations should stay tuned for potential ripple effects.

References:

[i] Ponemon Institute. (2018). Third Annual Study on Cyber Resilient Organizations.

[ii] Deloitte. (2019). Cyber Risk in the Boardroom: UK Cyber Security Survey.

[iii] World Economic Forum. (2020). The Global Risks Report 2020.

[iv] West Monroe. (2020). Cybersecurity Diligence in M&A.