At the end of last month, the SEC released a finalized version of several rules that require publicly traded companies to submit disclosures relating to cybersecurity. The two main requirements are that companies must file a disclosure of material cybersecurity incidents and submit an annual filing regarding their cybersecurity risk management. Assuming the finalized rules are published as scheduled on September 5th, they will take effect on December 18th.
Over the past years, high-profile breaches, ransomware attacks, and cyber espionage campaigns have had increasingly prominent effects on businesses. Cybersecurity measures have become significant budgetary items for many public companies. Therefore, organizations had some obligations to file disclosures on cybersecurity topics in the past. However, these obligations were spelled out through interpretive guidelines to existing rules about informing investors about risks and legal liabilities. The most significant guidance’s were published in 2011 and 2018.
Companies have had substantial leeway in interpreting what information to disclose and when to disclose it. This created an environment of uneven information for investors trying to compare, understand, and make decisions based on the cybersecurity-related information companies were providing.
Given the increasing prevalence of cyber-attacks and the digital workplace during and after the pandemic, it’s become increasingly clear that more standardized, specific, and structured regulations were needed for cybersecurity disclosures. The rule updates represent the SEC’s understanding of the matter and steps to addressing them proactively.
The first major rule change relates to the disclosure of “material cybersecurity incidents.” Companies will be required to file a Form 8-K disclosure within 4 business days after determining that such an incident occurred. They will be required to disclose:
- when the incident was discovered and if it is ongoing,
- the material aspect of the nature and scope of the incident,
- Whether any data was lost, stolen, or used for other unauthorized purposes,
- the effect the incident has had on the company’s financial conditions and resulting operations.
An essential term to understanding and complying with these rules is the concept of ‘materiality.’ Ultimately, it is a matter of discretion for the company or its security team to determine if a cybersecurity incident crosses the line into materiality. The key factor, based on the SEC rules, is whether a reasonable shareholder or investor would consider knowledge about the breach as important or influential when making an investment decision.
For the purposes of these rules, a cybersecurity incident does not necessarily require malicious intent on the part of a threat actor or be one singular instance. Accidental exposure of sensitive or critical data could be considered an incident if it would have a material impact on the company’s finances or operations. Liability and reputation damages would be considered a factor as well.
Similarly, several minor network breaches that don’t cause any data loss or access may eventually rise to the point of materiality if they indicate an attempted attack and would impact how the company operates.
The other significant rule finalized relates to the annual reporting of an organization’s cybersecurity strategy. Previous guidelines only required companies to disclose the risk of a cyber incident if it was “among the most significant factors” for investors assessing risk. The new rules require all filing companies to disclose if they have a cybersecurity risk assessment program in place. They need to provide information about the program, including how it is integrated with the company’s wider risk management system, if they engage outside auditors, consultants, or service providers, and how they manage vendors.
Additionally, companies are required to disclose if they have managers and teams in place that are responsible for assessing and responding to cybersecurity risks, and what experiences or background they have in cybersecurity. They also need to disclose how the relevant managers or committees are informed about cybersecurity incidents and how that information is relayed to the company’s board.
These two requirements have some significant implications for many companies and it’s worth taking a short look at some of the most important ones:
- Disclosure needs to be done with the appropriate amount of detail: The finalized rules include some significant changes between the initially proposed text and what will be published. A lot of these changes have reduced the level of detail companies need to disclose. While Security through Obscurity is a dead end, overly detailed descriptions could help a clever threat actor pinpoint a vulnerability.
- Disclosure needs to be part of your Incident Response Plan: Four Business days is not a long time, particularly if those days are spent handling an ongoing incident. It would be prudent for companies to have a plan in place about how to file the disclosure so that they won’t be scrambling in a time of crisis.
- Disclosure will have business implications: Although the SEC rules do not have any requirements about having a CISO on staff, or a dedicated cybersecurity team, investors will expect a certain level of security maturity from companies.
The SEC’s new cybersecurity disclosure rules represent a significant step towards standardizing security communication for publicly traded companies. By requiring timely disclosure of material cybersecurity incidents and detailed annual reporting on cybersecurity risk management, these rules aim to enhance transparency and accountability. They underscore the evolving role of cybersecurity not just as a technical issue but as a central element of a company’s risk management strategy that influences investor decisions and overall business success. By embracing these regulations, companies can demonstrate leadership and commitment to a secure and transparent digital future.