On 26 July, 2023, the SEC published the final version of its new cybersecurity disclosure requirements. These will have a direct impact on companies listed in the United States, including Foreign Private Issuers. They will also have an impact on UK companies, even where those companies are solely based in the UK.
Any company that provides services to US listed companies, especially companies that process data or provide business-critical services, will need to be prepared for significant additional scrutiny from their American business customers. Critically, that will also include additional due diligence scrutiny for new service providers, so UK companies with aspirations of growing by picking up American business clients should pay close attention.
Here are the two big ways that the SEC's new cybersecurity disclosure requirements could impact UK companies:
1. Disclosure of cyber incidents at service providers
US companies will be required to disclose any cyber incidents at service providers that have a material impact on their own company within four days of determining that a cyber incident is material.
However, materiality (defined generally as “substantial likelihood that a reasonable investor would consider it important”) is considered on the impact on the US company. The same cyber incident could end up being material for one customer, and not material for another customer.
What this means for a service provider is that they could be facing significant demands from customers for detailed information on the impact on each individual customer whilst also being in the middle of responding to a serious cybersecurity incident of their own.
Service providers will need to factor these likely demands into their incident response planning, which effectively sets a new higher bar for the speed and quality of information that a service provider is likely to need to access in the event of a cybersecurity incident. Companies should be asking themselves if their incident response plans are up to this level of customer demand.
US customers will also be asking service providers to demonstrate that they have this kind of incident response capability, which many service providers will struggle with. The disclosure requirement also specifically emphasises that cybersecurity incidents at third-party service providers are also covered by the requirements. A formal SEC disclosure requirement with a set timeframe means American boards will be asking their procurement functions how they can be comfortable that service providers will be able to provide them with the data they need to meet the incident disclosure timeline in the event of a cyber incident. For service providers, those procurement functions are going to be even more challenging, and being unable to answer these questions means losing out on future business.
It should be clear that this extends beyond technology companies to any company that holds or processes data for another company. UK companies providing services to US firms need to be prepared to provide information on their cybersecurity practices and incident response plans to ensure timely disclosure of any incidents.
2. Disclosure of procedures to oversee third-party service providers
US companies will also need to disclose information about their cybersecurity governance in their annual reports. The SEC requirement makes it clear that oversight of third-party service providers is one element that should be considered in their response.
Boards are going to be required to state how their organisations control cybersecurity risk at service providers, including both onboarding and ongoing due diligence. Under US law, CEOs or CFOs are required to certify that these statements are complete and accurate.
As a result, boards and C-Suites are going to be much more rigorous in ensuring that their third-party oversight functions are getting the right level of assurance from their service providers.
For UK service providers to US companies, that means that relatively light-touch certification responses and assurances may no longer be enough. It also means that generally, the volume of due diligence requests on cybersecurity is only going to increase.
UK companies should prepare for this increased level of cybersecurity scrutiny from their US customers. One pragmatic way of addressing this higher level of scrutiny and due diligence requests can be SOC 2 or other similar formal assurance, which can let a company set out their responses once and then provide that to each client rather than having to respond to each client and prospective client individually. These reports also have the benefit of being familiar to a US customer base who are used to receiving SOC 1 and SOC 2 controls reports. Service providers holding specific kinds of data may also need to consider further industry-specific assurance, like HITRUST for Health Information holders and processors.
UK companies with aspirations of growing by picking up US companies will be especially pressed to provide a higher level of cybersecurity assurance. SOC 2 assurance could well become a necessary part of providing a number of services to US business customers.
Overall, UK companies should not be complacent in thinking about the impact that the new SEC cybersecurity disclosure requirements will have on their ability to do business with US customers, and on their ability to pick up new US customers. In any case, challenging your business on whether you have effective cybersecurity controls and incident response plans in place is no bad thing. Nor is the ability to provide regular reports on your cybersecurity controls to customers. Getting prepared to do SOC 2 assurance reporting takes time, and this is a good chance for service providers to consider getting SOC 2 assurance if they plan to grow into the US market in the future.
Will your company be prepared when your customers come asking?