New reporting requirements take effect September 5, 2023. Here's what they mean to you.
The Securities and Exchange Commission (SEC) has adopted a new rule to standardize and speed disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies who are subject to the reporting requirements of the Securities Exchange Act of 1934. The new SEC rule requires the following disclosures:
- Speedy disclosures regarding material cybersecurity incidents;
- Periodic disclosures about a registrant’s processes to assess, identify, and manage material cybersecurity risks;
- Management’s role in assessing and managing material cybersecurity risks; and
- The board of directors’ role in overseeing cybersecurity risk.
One of the new requirements is a stringent 4-day window for the disclosure of data breaches, emphasizing the profound significance of cybersecurity and data protection in today's corporate landscape. With an effective date of September 5, 2023, regulated organizations need to become fully versed in the details of the new rule and its implementation.
SEC Relevance in the Digital Age
The SEC regulates the major participants in U.S. securities markets, including but not limited to broker-dealers, transfer agents, and self-regulatory organizations such as stock exchanges, FINRA, and clearing agencies, according to the SEC website. The Commission monitors the activities of more than 28,000 entities in the securities industry with the mission of maintaining fair and orderly markets, protecting investors large and small, and facilitating the growth of American businesses, jobs, and innovation.
The progression of the SEC from a body focused on financial regulation to one that places significant emphasis on cybersecurity is a testament to the intertwined nature of finance and data in the modern age. Financial well-being is now inextricably linked with data security. Cybersecurity is a critical issue for public companies, as data breaches can have a significant impact on a company's financial performance and reputation. In recent years, there has been a sharp increase in the number and severity of data breaches, and the SEC has responded accordingly.
Details of the New SEC Rule
The new SEC rule requires public companies to disclose any cybersecurity breach that is material to the company's operations or financial condition within four days of determining that it is material. This is a significant change from the previous requirement, which allowed companies up to 45 days to disclose a data breach, regardless of impact or magnitude.
The new rule also requires companies to disclose, in the annual Form 10-K, material information regarding their cybersecurity risk management, strategy, and governance programs. The rule also has provisions requiring foreign private issuers to make comparable disclosures.
The SEC’s new cybersecurity rule is a call to action for every organization:
- Transparency is Imperative: The condensed data breach reporting window speaks volumes about the urgency of transparency. In a hyper-connected age where news travels instantly, investors and other stakeholders demand rapid and clear communication about security incidents that potentially affect them. In response to the growing threat of data breaches, the SEC's new mandate requires public companies to disclose any cybersecurity breach that is material to the company's operations or financial condition within four days of determining the breach to be material.
- Protecting Investors: The new mandate is a major step forward in protecting investors from the consequences of data breaches. It will ensure that investors are promptly informed of any material cybersecurity incidents that could impact a company's financial performance, bottom line, or reputation. This will give investors the information they need to make informed investment decisions and to protect their own data.
- Holistic, Resilient Data Security: The mandate encourages businesses to perceive data protection as an encompassing umbrella. It's not just about fending off attacks, but ensuring the overall privacy, integrity, and resilience of data infrastructures. Resilience has become a benchmark of cybersecurity, and the SEC is keenly interested in how organizations not only defend against threats but recover and learn from them.
- Proactive vs. Reactive Compliance: Historically, organizations adopted a more reactive stance toward cybersecurity, only addressing threats once they had manifested. The SEC’s new approach is a seismic shift toward proactivity, emphasizing the importance of preventive mechanisms as well as reactive solutions.
What is Considered Material Under the New SEC Rule?
Under the new rule issued by the Securities and Exchange Commission, information is considered material if it meets one of two criteria. Specifically, (1) if "there is a substantial likelihood that a reasonable shareholder would consider it important" in making an investment decision, or (2) if it would have "significantly altered the 'total mix' of information made available."
Companies assessing the materiality of cybersecurity incidents, risks, and related issues should do so through the lens of the reasonable investor and take into consideration all relevant facts and circumstances, which may involve both quantitative and qualitative factors, and which include the two criteria above.
To determine if a cybersecurity threat is material, businesses should apply a materiality analysis, which should consider the potential impact of the incident on the company's operations, financial condition, and reputation. The analysis should consider the nature, scope, and timing of the incident, the type of data involved in the incident, the extent of harm to affected individuals, the potential for litigation or regulatory action, and the company's ability to contain and remediate the incident. The analysis should be conducted from the perspective of a reasonable investor, and the company should disclose the incident if it meets the criteria.
Guidelines for Disclosure of Cybersecurity Risks and Incidents
Through its Regulation S-K, the SEC provides guidance on the disclosure of cybersecurity risks and incidents. Specifically, Item 106(c) features examples of the types of information registrants may need to disclose in order to satisfy their obligations under Item 106(a). The list includes, but is not limited to:
- Discussion of aspects of the registrant's business or operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks;
- Description of outsourced functions having material cybersecurity risks and how the registrant addresses those risks;
- Description of material cybersecurity incidents experienced by the registrant, including a discussion of the risks of such incidents;
- Description of the cybersecurity risk management program and how the program is designed to identify, assess, and manage cybersecurity risks;
- Description of cybersecurity policies and procedures for identifying and responding to cybersecurity incidents, including the process for notifying customers and other stakeholders;
- Discussion of cybersecurity training and awareness program for employees;
- Discussion of material compliance with applicable cybersecurity-related laws and regulations; and
- Description of the registrant's involvement in any material legal proceedings related to cybersecurity risks or incidents.
It is important to note that this list is not exhaustive, and registrants may need to disclose additional information depending on their specific circumstances. Public companies should use Form 8-K to report any cybersecurity incident deemed material within the required new 4-day window.
Concerns Over Escalating Ransomware Attacks
An SEC press release dated July 26, 2023 positions the new rule, and the need for it, with this statement:
"Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors," said SEC Chair Gary Gensler. "Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them."
Cybersecurity incidents come in many forms, from hacking and phishing schemes to insider attacks, and one of the most damaging is ransomware. Ransomware threats are escalating, and the SEC recognizes the potentially disastrous consequences that could result from any one of its regulated firms falling victim to ransomware. The following charts illustrate several common ransomware tactics which organizations should be aware of and safeguard against.
- Type A: Here, data is held hostage. The encryption of vital data and system files leads to operational paralysis, and organizations are faced with the moral and operational dilemma of whether to pay the ransom or risk permanent data loss.
- Type B: Cyber adversaries breach data protections, and instead of merely encrypting a company’s data, they exfiltrate vital information. This shifts the impact from potential data loss to reputational risk, with organizations held at ransom over the threat of public disclosure and loss of their data.
- Type C: A malicious blend of A and B, this dual-threat tactic leaves organizations grappling with both operational disruption and potential reputational damage.
While the new SEC rule is far-reaching, certain aspects require further clarity:
- As companies operate in a global ecosystem, how does the new SEC mandate mesh with other international cybersecurity protocols?
- How can businesses balance the need for transparency and disclosure with the need to protect sensitive information and avoid giving potential attackers a roadmap for exploiting vulnerabilities?
- How can businesses ensure that their disclosures of cybersecurity risks and incidents are accurate and complete, given the rapidly evolving nature of cybersecurity threats and the difficulty of detecting and assessing such threats?
- How can businesses effectively manage third-party cybersecurity risks, including risks associated with vendors, suppliers, and other service providers?
Timing of Implementation and Compliance with New SEC Rule
The new SEC rule will become effective on September 5, 2023, the required 30 days after its publication in the Federal Register on August 4, 2023.
The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning 90 days after the date of publication in the Federal Register, or on December 18, 2023.
Regulated organizations should be preparing now to meet the new requirements, or risk non-compliance. SEC-regulated companies are well aware of their reporting obligations and the consequences of reporting failures, which may include but are not limited to enforcement actions, fines, and reputational damage. In addition, legal liability could be incurred if a company were to experience a material cybersecurity incident that was not promptly disclosed, or if a disclosure was found to be false or misleading.
What Companies Should Do
To meet cybersecurity challenges head-on, organizations should:
- Partner with Experienced Cybersecurity Professionals: Enlisting the expertise of cybersecurity firms like 24By7Security is vital. Their adeptness in frameworks such as PCI DSS (dedicated to secure payment card transactions) and FFIEC (ensuring cybersecurity robustness in financial establishments) can help companies achieve complete compliance.
- Upgrade Defense Mechanisms: A basic firewall is passé. The modern threat landscape necessitates next-gen threat detection systems, AI-integrated defense tools, and comprehensive monitoring.
- Prioritize Continuous Learning: Cyber threats morph constantly. Rigorous training regimens, periodic workshops, up-to-date information sessions and continuous reminders can fortify the human element of the defense mechanism.
- Develop a Comprehensive Incident Management Plan: A blueprint for data breach scenarios is non-negotiable, and should encompass immediate technical action, clear communication channels, legal navigation, and reflective post-incident analyses.
In an age where data is a prime corporate asset, its security and privacy are mandatory. A single data breach can erode years of customer trust. Organizations are no longer evaluated merely by their products or revenue but by their dedication to data protection and ethical conduct.
Provisions of the new SEC rule, including the 4-day disclosure mandate, signal a paradigm shift in business priorities within the SEC landscape. Cybersecurity has steadily emerged from the domain of IT departments to drive discussions in boardrooms and in government agencies. Cybersecurity is not just a regulatory requirement but a foundational pillar of modern business. As federal and state regulations continue to evolve and strengthen, the underlying message remains unaltered: In an era ruled by data, its defense is paramount.