U.S. Securities and Exchange Commission (SEC) is the latest federal agency putting a spotlight on U.S. companies’ cybersecurity practices and pushing boards and executive management teams to place a greater focus on their cyber risk management. On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted amendments (SEC.gov | SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies) to its rules to enhance disclosures regarding material cybersecurity incidents and cybersecurity risk management, strategy and governance processes by registrants.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Prior SEC rules and guidance already covered cybersecurity disclosure, but the SEC viewed these as being inadequate and needing an update for two key reasons. First, the prior policies resulted in inconsistent disclosure practices across issuers, making it difficult for investors to assess a company’s cyber risk and, worse yet, was likely leading public companies to underreport cybersecurity incidents. Second, the SEC recognized the exponential rise in the cost and adverse impact of cybersecurity incidents on public companies and the economy more generally, which in turn fueled the need for more timely and standardized cybersecurity disclosures for the investing public.
New rule addresses concerns over investor access to timely and consistent information related to cybersecurity as a result of the widespread use of digital technologies and artificial intelligence, the shift to hybrid work environments, the rise in the use of crypto assets, and the increase in illicit profits from ransomware and stolen data, all of which continue to escalate cybersecurity risk and its related cost to registrants and investors.
The recent SEC cybersecurity disclosure rule represents a pivotal step towards safeguarding investors from the potential repercussions of cybersecurity breaches. In an era marked by the escalating frequency and gravity of such incidents, investors are rightfully demanding greater transparency from the companies they have vested their financial resources and trust in. With the introduction of this new regulation, the SEC is compelling companies to furnish investors with up-to-date, consistent, and genuinely informative insights into their approach to handling cyber risks.
I perceive this rule as a clarion call for action, effectively challenging enterprises to prepare for an enhanced level of disclosure concerning their strategies, governance processes, and overall management of cyber risks. While this may appear daunting for some, it’s important to recognize that the task ahead might not be as formidable as it initially seems.
The core of the rule amendments require disclosure:
1. Cyber incident reporting
- Report “material” cybersecurity incidents on a Form 8-K within four business days of materiality determination.
- Describe the nature, scope, and timing of the incident and the material impact or reasonably likely material impact on the registrant. To the extent required information is not determined or is unavailable at the time of the filing, the 8-K should include disclosure of this fact, and the 8-K should be later amended when the information is determined or becomes available.
- Materiality determination should be based on federal securities law materiality, including consideration of quantitative and qualitative factors.
- The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.
2. Cyber risk management and strategy
The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Describe the company’s process, including:
- whether cybersecurity is part of the overall risk management program, engages consultants, auditors or other third parties, and processes to oversee and identify risks from use of third parties.
- whether and how any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the registrant’s business strategy, results of operations, or financial condition.
3. Cyber governance
Describe the company’s governance of cybersecurity risks as it relates to:
- Disclosure of the Board’s Roles and Responsibilities – Item 106(c)(1) require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K. Item 106(c)(1) requires a registrant to provide specific disclosures about the oversight of cybersecurity risk by its board of directors, including:
- A description of the board’s oversight of risks from cybersecurity threats.
- Identification of any board committee or subcommittee responsible for oversight of risk from cybersecurity threats (if applicable).
- A description of the processes by which the board or such committee is informed of risk from cybersecurity threats.
- Disclosure of Management’s Responsibilities – Item 106(c)(2) requires a registrant to disclose how management assesses and responds to material risks from cybersecurity threats, including, but not limited to:
- “Whether and which management positions or committees are responsible for assessing and managing such risks, and [their relevant expertise].”
- “The processes by which such persons or committees [monitor cybersecurity incidents].”
- Whether and how management reports cybersecurity information “to the board of directors or a committee or subcommittee of the board of directors.”
- Comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
Note: The final rules will become effective 30 days following publication of the adopting release in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure. With respect to compliance with the structured data requirements, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.
The U.S. SEC’s new cybersecurity disclosure rules increase pressure on companies to solidify processes for identifying, assessing and managing material cybersecurity risks and reporting incidents. Disclosure with in 4 days!! 😊
In the wake of the SEC’s proposal, public companies are scrambling to address key questions such as:
- What “material events” does the SEC cyber disclosure say must be disclosed?
- How does the SEC expect companies to assess materiality under the new rules, and what does enforcement precedent tell us?
- What can companies do proactively to validate their cybersecurity programs and disclosure mechanisms?
- How should incident response processes as well as other applicable policies, procedures, and controls be revised?
- How can companies best position themselves to utilize the available national security/public safety delay option?
- What will enforcement look like?
While SEC released a new cyber disclosure rule requiring public companies to disclose information about their cybersecurity governance practices as well as impacts associated with material cyber incidents. While they include information on what is required to be disclosed, they don’t address how organizations might design their processes and controls to accurately address those disclosure requirements.
Common question that I get asked is “What should CISOs do and not do in response to the SEC’s rule amendments relating to incident reporting and cybersecurity governance and risk management?”
For some organizations, existing processes will require little or no enhancement to facilitate compliance with these SEC rule updates. However, few organizations have defined mechanisms by which corporate officers can make informed assessments of materiality and construct the required 8-K reports based on incident data.
Read my perspective on list of actions to verify the adequacy of processes and determine processes requiring creation or augmentation.
CISOs at respondent organizations must:
1. Know your process and assemble the data
- Review security incident response processes to identify changes needed to support assessment of incident materiality and communication of data to the SEC (via Form 8-K Item 1.05) within the required four-day time frame.
- Update security incident response processes to address both unitary and aggregate material incidents as defined by SEC rules. Implement requisite process changes and test the process. Process changes should address unitary material incidents and aggregate material incidents as defined in the SEC rules.
- Enhance data collection to support materiality assessments and effective communication with relevant parties during incident response. Changes may include collecting additional data to support materiality assessments, discovering and aggregating related incidents, and communicating with appropriate parties to inform them of incident response management activities.
2. Augment incident response governance
- Involve legal counsel, investor relations, controller/external reporting groups, and communication leaders – Reporting of material incidents to the SEC could have a direct impact on market valuation of your organization. This forced transparency requires active participation of legal counsel, investor relations, controller/external reporting group and communications leaders in the composition and communication of Form 8-K Item 1.05.
- Respondent organizations should assure that the computer security incident response team (CSIRT) includes legal counsel, investor relations and communications leaders. In this way, compliance with SEC rules will be supervised by leaders empowered to speak to federal authorities and the market on behalf of the organization. Respondent organizations should also assure that CSIRT deliberations are covered by attorney privilege.
3. Report early and often
- Ongoing reporting of incident management is part of the rule change. CSIRT processes must include support of timely updates to the SEC of incident management of each material incident until the incident is resolved. Update procedures and responsibility allocations to include generation of iterative reports for each material incident.
- Document the use of incident response retainers, external assessors, consultants, auditors or third-party service providers to support the cybersecurity program such as managed security service providers (MSSPs) and share this information with the roles responsible for preparing disclosure content.
4. Provide updates on risk management
- Provide high-level descriptions of cybersecurity risk management processes to assess, identify, quantify and manage material threats that might arise from cyber risk.
- Ensure processes are up to date and documented for assessing, identifying and managing material risks from cybersecurity threats, including those incurred by third parties. Assure that these processes align with the overall risk management practices of the organization, if they exist.
- Refine the Third-Party Risk Management across the entire Supply Chain – Based on the Supply Chain complexity, it may be particularly challenging for a registrant to determine the materiality of a cyber incident, and it may need to use significant judgment when doing so. For example, if the registrant uses, but does not own, third-party resources, it may be difficult for the registrant to obtain the information it needs to make a materiality determination related to an incident involving such resources. This could be especially difficult if a third-party resource also uses outside service providers. However, as noted above, registrants are not exempt from disclosing third-party cyber events, nor is there a safe harbor for information disclosed about third-party systems.
- Showcase the presence of a functioning risk assessment program that provides investors with enough data to comprehend the cybersecurity risk profile of the organization.
- Refrain from sharing details unrelated to incident materiality as they might inappropriately expose the cybersecurity posture of the company.
5. Define governance structures
- Establish a formal governance structure over the cybersecurity program that defines the responsibilities performed by specific roles and/or committees providing management and oversight over the program.
6. Ensure that your cybersecurity monitoring infrastructure supports this type of assessment and reporting
DON’TS for CISOs at respondent organizations
CISO MUST AVOID certain actions to support established allocation of fiduciary reporting authority:
- Do not assume authority or responsibility for compliance with SEC rules for systems beyond the CISO’s defined management purview (e.g., other roles may be responsible for operational technology or cyber-physical systems) as defined in the company’s cybersecurity charter.
- Do not assess the materiality of a cybersecurity risk or threat.
- Do not assess the materiality of risks, an incident or aggregated collection of incidents. Assessment of materiality should be conducted by those responsible for SEC disclosures. Information relevant to materiality is not limited to the severity of the incident itself. Focus on supporting the materiality assessment processes conducted by the corporation’s officers responsible for SEC reporting.
- Do not assume and do not “overshare” – Limit incident details and mitigating actions to the minimum defined by corporate officers as required for SEC disclosure.
- A registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.
- Exercise Judgement – Although the final rule includes examples of cybersecurity incidents, a registrant will need to use judgment to determine whether “any information” residing in its information system has been jeopardized. Such judgment will vary on the basis of factors such as the complexity of the registrant’s information, the importance of the information to its operations, and the nature and extent of the information. Final rule notes that “the definition [of cybersecurity incident] is not self-executing; rather it is operationalized by Item 1.05, which is conditioned on the incident having been material to the registrant. ”Further, given that the definition of a cybersecurity incident extends to “ ‘a series of related unauthorized occurrences,’ ” a registrant will still have to consider whether to aggregate related cyber incidents. For example, aggregation would be expected when, collectively, the following incidents are material:
- incidents in which the same malicious actor engages in a number of smaller, continuous attacks against the same company or
- there are related attacks from multiple actors exploiting the same vulnerability. Thus, a registrant may need to consider establishing processes for: inventorying related immaterial incidents and updating the inventoried incidents as changes occur.
- continually updating its assessment of the aggregate materiality of such related incidents, and
- retaining any information necessary for providing disclosures in case they are ultimately required.
My Pro Tip and Perspective
1. Empower Executives in Cybersecurity:
Effective cybersecurity demands that executives and board members consider it a top strategic priority. It’s crucial not to leave frontline professionals to handle cyber threats on their own. The solution lies in identifying an executive who comprehends the significance of cybersecurity and can articulate its strategic value to key decision-makers. Enterprises that seize this opportunity gain a competitive edge, ensuring resilience in an ever-evolving digital landscape.
2. Elevate Cybersecurity as a Strategic Priority:
Instead of viewing the new SEC rules as a burdensome requirement, enterprises should regard them as a chance to shift their perspective. This shift involves elevating cybersecurity to a critical strategic concern in the C-suite and boardroom. Enterprise leaders must lead discussions on cyber threats and consider cybersecurity a pivotal factor across the business. By establishing a robust governance structure, fostering transparent communication, providing forward-thinking oversight, and leveraging cybersecurity experts’ skills, companies can not only comply with regulations but also chart a secure and prosperous path toward cyber resilience.
3. Timely Incident Disclosure:
The recent SEC regulations underscore the importance of promptly disclosing cybersecurity incidents. Clear and timely communication is vital for fostering trust and collaboration among various stakeholders, including employees, executives, board members, regulators, and the public. Taking responsibility and being accountable allows organizations to learn from each other’s experiences and work together to strengthen their defense against cyber threats.
4. Embrace Transparency:
Transparency is now a fundamental expectation in the SECs cybersecurity rules. Organizations must acknowledge that no one is immune to cyber threats, emphasizing the need for prompt incident reporting. By implementing transparent disclosure policies, organizations can instill confidence among stakeholders and create a collaborative environment that enhances industry-wide resilience. This level of transparency also encourages active participation from all employees, making cybersecurity training more effective and promoting a cybersecurity-aware culture.
In the fast-evolving realm of cybersecurity, CISOs are at the forefront, grappling with transformative challenges driven by generative AI, stringent SEC regulations, and the relentless rise of advanced cyber threats. Their pivotal role involves articulating the consequences of cybersecurity incidents, encompassing both actual and foreseeable impacts, including potential financial implications. This shift in disclosure requirements underscores the significance of proactive governance and a well-structured mitigation plan seamlessly aligned with new guidelines. Strong cybersecurity governance serves as the cornerstone of comprehensive cybersecurity programs, building trust among stakeholders. In times of economic uncertainty, experienced cybersecurity experts on corporate boards prove invaluable, aiding CISOs in developing dynamic cybersecurity strategies. The provided DO’s and DON’Ts offer CISOs a valuable framework for navigating cybersecurity incident disclosure and SEC compliance adeptly during this transformative era.