Contents
The U.S. Securities and Exchange Commission (SEC) recently implemented new rules requiring all of its registrants, including publicly traded companies, to disclose cybersecurity incidents in a timely and consistent manner, as well as publish information about their governance, risk management, and compliance (GRC) practices annually.
Similar regulations from other federal agencies are designed to protect consumers’ and employees’ personal information. In line with the SEC’s purpose, these new rules primarily aim to protect the interest of investors.
“Whether a company loses a factory in a fire or millions of files in a cybersecurity incident, it may be material to investors,” said SEC Chair Gary Gensler in a press release announcing the new rules. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
This move is a significant development in cybersecurity regulations. It’s also a key example of the way data privacy and protection are permeating all aspects of business, with robust cybersecurity programs becoming requirements rather than options. Read on for more details about the new SEC cyber disclosure rules.
What are the SEC’s new cybersecurity and incident disclosure rules?
The new cybersecurity and incident disclosure rules further advance the Securities Act of 1933 and the Securities Exchange Act of 1934. According to the SEC, the rules aim “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies.”
The rules require all SEC registrants to complete the following documentation when applicable, as described below:
- Regulation S-K Items 106(b) and 106(c) — In annual reports, detail processes for identifying, assessing, and managing material cybersecurity risks, including how potential risks may affect their business operations or finances, management’s role in these processes, and the board’s oversight.
- Form 8-K Item 1.05 — Disclose material cybersecurity incidents within 4 days of determining that they are material, including the incident’s nature, scope, timing, and impact.
- Explaining its chosen timeframe, the SEC writes that reporting incidents within four days “would enable investors and other market participants to assess the possible effects of a material cybersecurity incident on the registrant, including any short- and long-term financial effects or operational effects, resulting in information useful for their investment decisions.”
- The only accepted reason for delaying this deadline is if the United States Attorney General determines that disclosure would pose a substantial risk to national security or public safety.
For consistency and ease of analysis, registrants must tag their disclosures in Inline eXtensible Business Reporting Language (Inline XBRL).
Foreign private issuers (FPIs) must use Form 20-F in place of Regulation S-K Item 106(c) and Form 6K in place of Form 8-K Item 1.05.
Why is the SEC enforcing cybersecurity regulations?
The SEC has not previously enforced requirements related to cybersecurity policy, incident, or data breach disclosure. In its final rule, the commission cites three main driving factors behind its more assertive involvement in this space:
- An increasing reliance on electronic systems, which makes cyber attacks exponentially more impactful to business operations as well as the global economy.
- The increasing frequency and severity of cyber attacks — the rule cites a recent SecurityScorecard study reporting that 98% of organizations use at least one third-party vendor that has experienced a breach in the last two years.
- The increasing costs associated with successful cyber attacks, including “business interruption, lost revenue, ransom payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost assets, litigation risks, and reputational damage.”
Notably, a primary goal of these new rules is to increase specificity and consistency among incident disclosures. In its final rule, the SEC writes that “while some registrants do report material cybersecurity incidents … companies provide different levels of specificity regarding the cause, scope, impact, and materiality of cybersecurity incidents.”
What do the new disclosure rules mean for publicly traded companies?
The new disclosure rules mean that SEC registrants must have not just a solid understanding of their GRC, but also policies and partnerships in place to expedite incident assessments when they occur. It is crucial for publicly traded companies to understand the key components of this rule in order to comply with its requirements effectively. Non-compliance can result in severe consequences, including penalties and reputational damage.
While deep specificity into what data was compromised is not currently required by these new rules, companies will need to conduct a speedy investigation to determine whether an incident was “material” and report it within the required timeframe. The aggressive four-day reporting deadline, in line with strict deadlines found in model legislation like the General Data Protection Regulation (GDPR), is increasingly more difficult to meet as companies’ digital reliance and assets grow exponentially.
Reporting incidents also publicizes vulnerabilities. To that point, SEC registrants will need to have processes in place to contain and remediate incidents quickly, thereby preventing other threat actors from exploiting reported vulnerabilities.
Are private companies and other organizations affected?
The new disclosure rules only apply to SEC registrants, including publicly-traded companies. But as with other landmark cyber regulations, these are likely to trickle down to other areas of the marketplace, so it may benefit private companies to begin adopting some of the requirements early.
Further, with these new requirements, private companies and other organizations will have insight into registered companies’ GRC, which may provide useful guidance for their own risk management programs.
What do the new disclosure rules mean for incident response teams?
The new SEC disclosure rules provide increased incentive for companies to secure cyber service providers on retainer, both for proactive and reactive cybersecurity services. In particular, the material cybersecurity disclosure requirement makes it even more important for incident response (IR) firms to differentiate themselves to SEC registrants and their cyber insurers.
During the comment period before passing its final rule, the SEC received many complaints about the four-day incident reporting deadline, including:
- The required level of detail (the incident’s nature, scope, timing, and impact) isn’t feasible within that timeframe.
- The short deadline will result in the publication of unclear or potentially inaccurate information that could cause market insecurity.
- The short deadline will result in a high rate of “false positives” — incidents that are reported, then turn out not to be material upon further investigation.
These comments show a lack of confidence in IR teams’ ability to deliver the required insights within the aggressive four-day reporting deadline. And it’s true: many IR teams continue to use outdated workflows and technology, so they can’t keep up with these demands without an exponential increase in manpower and time — which leads to a corresponding increase in costs (and their revenue).
But some cutting edge IR firms have adopted the latest AI and machine learning technology to deliver results faster, more accurately, and more efficiently. With the industry’s only Data Breach Response software that’s purpose-built for data mining, IR teams can provide an incident’s scope and impact within this strict required timeframe.
When do the new SEC rules go into effect?
The SEC first proposed the new disclosure rules for cybersecurity risk management, strategy, governance, and incidents in March 2022, and it published the final rule in July 2023.
Notable dates include:
- September 5, 2023 — The final rule goes into effect.
- December 15, 2023 — Registrants must begin submitting cybersecurity risk management, strategy, and governance disclosures for fiscal years ending on or after this date.
- December 18, 2023 — Registrants (other than smaller reporting companies) must begin complying with incident disclosure requirements.
- June 15, 2024 — Smaller reporting companies must begin complying with incident disclosure requirements.
You can view the full text of the SEC final rule here.