The U.S. Securities and Exchange Commission (SEC) recently implemented new rules requiring all of its registrants, including publicly traded companies, to disclose cybersecurity incidents in a timely and consistent manner, as well as publish information about their governance, risk management, and compliance (GRC) practices annually.
Similar regulations from other federal agencies are designed to protect consumers’ and employees’ personal information. In line with the SEC’s purpose, these new rules primarily aim to protect the interest of investors.
“Whether a company loses a factory in a fire or millions of files in a cybersecurity incident, it may be material to investors,” said SEC Chair Gary Gensler in a press release announcing the new rules. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
This move is a significant development in cybersecurity regulations. It’s also a key example of the way data privacy and protection are permeating all aspects of business, with robust cybersecurity programs becoming requirements rather than options. Read on for more details about the new SEC cyber disclosure rules.
The new cybersecurity and incident disclosure rules further advance the Securities Act of 1933 and the Securities Exchange Act of 1934. According to the SEC, the rules aim “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies.”
The rules require all SEC registrants to complete the following documentation when applicable, as described below:
For consistency and ease of analysis, registrants must tag their disclosures in Inline eXtensible Business Reporting Language (Inline XBRL).
Foreign private issuers (FPIs) must use Form 20-F in place of Regulation S-K Item 106(c) and Form 6K in place of Form 8-K Item 1.05.
The SEC has not previously enforced requirements related to cybersecurity policy, incident, or data breach disclosure. In its final rule, the commission cites three main driving factors behind its more assertive involvement in this space:
Notably, a primary goal of these new rules is to increase specificity and consistency among incident disclosures. In its final rule, the SEC writes that “while some registrants do report material cybersecurity incidents … companies provide different levels of specificity regarding the cause, scope, impact, and materiality of cybersecurity incidents.”
The new disclosure rules mean that SEC registrants must have not just a solid understanding of their GRC, but also policies and partnerships in place to expedite incident assessments when they occur. It is crucial for publicly traded companies to understand the key components of this rule in order to comply with its requirements effectively. Non-compliance can result in severe consequences, including penalties and reputational damage.
While deep specificity into what data was compromised is not currently required by these new rules, companies will need to conduct a speedy investigation to determine whether an incident was “material” and report it within the required timeframe. The aggressive four-day reporting deadline, in line with strict deadlines found in model legislation like the General Data Protection Regulation (GDPR), is increasingly more difficult to meet as companies’ digital reliance and assets grow exponentially.
Reporting incidents also publicizes vulnerabilities. To that point, SEC registrants will need to have processes in place to contain and remediate incidents quickly, thereby preventing other threat actors from exploiting reported vulnerabilities.
The new disclosure rules only apply to SEC registrants, including publicly-traded companies. But as with other landmark cyber regulations, these are likely to trickle down to other areas of the marketplace, so it may benefit private companies to begin adopting some of the requirements early.
Further, with these new requirements, private companies and other organizations will have insight into registered companies’ GRC, which may provide useful guidance for their own risk management programs.
The new SEC disclosure rules provide increased incentive for companies to secure cyber service providers on retainer, both for proactive and reactive cybersecurity services. In particular, the material cybersecurity disclosure requirement makes it even more important for incident response (IR) firms to differentiate themselves to SEC registrants and their cyber insurers.
During the comment period before passing its final rule, the SEC received many complaints about the four-day incident reporting deadline, including:
These comments show a lack of confidence in IR teams’ ability to deliver the required insights within the aggressive four-day reporting deadline. And it’s true: many IR teams continue to use outdated workflows and technology, so they can’t keep up with these demands without an exponential increase in manpower and time — which leads to a corresponding increase in costs (and their revenue).
But some cutting edge IR firms have adopted the latest AI and machine learning technology to deliver results faster, more accurately, and more efficiently. With the industry’s only Data Breach Response software that’s purpose-built for data mining, IR teams can provide an incident’s scope and impact within this strict required timeframe.
The SEC first proposed the new disclosure rules for cybersecurity risk management, strategy, governance, and incidents in March 2022, and it published the final rule in July 2023.
Notable dates include:
You can view the full text of the SEC final rule here.