The Securities and Exchange Commission (SEC) has taken a significant step in bolstering cybersecurity disclosures for public companies by adopting new rules that aim to provide investors with comprehensive and standardized information on cybersecurity risk management, strategy, governance, and incidents.
Adopted in July 2023, these new rules come after a lengthy rule-making and public comment process and act as official recognition that the ever-present danger of cybersecurity threats can impact investor decision making.
The highlights: What you need to know
The crux of the new SEC rules is that companies are required to report both material cybersecurity incidents and cybersecurity risk management processes in a standardized way and according to certain timelines. More specifically:
Incident disclosures
The final rule requires current report disclosures (Item 1.05 in Form 8K or 6-K) within four days of “material” cybersecurity incidents that describe (1) the nature, scope, and timing of the incident and (2) the impact or likely impact of the incident on the registrant, including financial and operational impact.
Annual disclosures
The final rule requires disclosures in annual reports (Form 10-K or 20-F) that describe (1) the registrant’s process to identify, assess, and manage cybersecurity risks; (2) how risks from cybersecurity threats have materially affected or reasonably likely to materially affect business operations, strategy, or financial conditions; (3) the registrant’s board of directors’ oversight of cybersecurity risks, and (4) management’s role in assessing and managing risks from cybersecurity threats.
The SEC requires companies to report both material cybersecurity incidents and cybersecurity risk management processes in a standardized way.
Deadlines
The final rule became effective on September 5, 2023. The annual cybersecurity disclosure will be required for registrants with fiscal years starting December 15, 2023, and after. The current report disclosure obligation of Item 1.05 begins shortly thereafter on December 18, 2023, although smaller reporting companies have until June 15, 2024. Further, beginning on December 15 and 18, 2024, there are additional requirements regarding the formatting of these annual and current report disclosures, respectively (i.e., formatting these disclosures in Inline XBRL to allow for automated searchability and analysis).
The details: What the rules say
There’s been an incident — what must be disclosed?
The new rules require disclosure of cybersecurity incidents determined to be “material” (more on this below) as well as the nature, scope, and timing of the incident and the reasonably likely impact of the incident on the registrant’s financial condition and operations.
However, unlike previous iterations of the draft rule, there is no requirement to disclose specific or technical information about the registrant’s planned response to the incident or its potential cybersecurity systems vulnerabilities.
How soon must the disclosure be made?
Within four business days! Having four days to disclose a cybersecurity incident in a public filing may seem tight, and it is, but there is more flexibility built into the parameters of the final rule than is apparent.
The four-day clock only begins at the point when the registrant has determined it has experienced a “material” cybersecurity incident, and that materiality determination need only be made “without unreasonable delay.”
As flexible as the standard may be, it does not allow a registrant to stretch an investigation until the incident has been fully remediated in order to delay reporting. A registrant must make the 8-K disclosure with the information available at the time and then later supplement the original disclosures as necessary through an amendment to Item 1.05.
So, what’s a “material” incident?
Plainly, an incident is material if “there is a substantial likelihood a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.” (See TSC Industries, Inc. v. Northway, Inc).
Again, there is a core of subjective flexibility in this determination, but a registrant should observe the established interpretation of SEC “materiality” standards, such as found in the cases of TSC Industries, Inc. v. Northway, Inc.; Basic, Inc. v. Levinson; and Matrixx Initiatives, Inc. v. Siracusano, and likewise with those set forth in 17 C.F.R. § 230.405 and 17 C.F.R. § 240.12b-2.
More practically, materiality should be determined based upon the qualitative impact of the incident, such as financial impact to the registrant (mainly remediation costs, legal fees and loss of business), the possibility of getting sued, or of regulatory action. Here are some guideposts to help a registrant’s materiality determination (from IBM’s Cost of a Data Breach Report 2023):
- On average, it takes 277 days to identify and fully contain a data breach.
- The global average cost of a data breach in 2023 was $4.45 million.
- The most expensive breaches involve healthcare-related information at an average cost of $10.93 million. The financial services industry is next at $5.90 million per breach, followed by pharmaceutical ($4.82 million) and energy ($4.78 million).
- Smaller companies are seeing considerable increases in the average cost of a data breach, from $2.92 million to $3.31 million from 2022 to 2023.
- Customer and employee personal identifiable information (PII) (such as SSNs) are the costliest records to be compromised, at $183 per record.
- Intellectual property compromise was reported in 34% of breaches, up from 27% in 2021.
Are there any exceptions?
Yes, but they are limited. A registrant may delay filing an Item 1.05 on Form 8-K if the U.S. attorney general determines that immediate disclosure would pose substantial risk to national security or public safety.
However, even in the most extraordinary circumstances, the reporting can only be delayed a total of 120 days. The mechanics of how to actually secure this delay are still being hammered out; the FBI is working with the Department of Justice to develop additional guidance to effectuate this exception.
What about the annual disclosure?
New requirements for annual disclosures require a description of processes to identify, assess, and manage cybersecurity risks and particularly, management’s and the board of directors’ role in assessing and managing material risks from cybersecurity threats. This disclosure naturally demands oversight by the board of directors of a registrant’s cybersecurity risks; the disclosure requires identification of any board committee or subcommittee responsible for oversight of cybersecurity risk and how they are informed about these risks.
However, the rules only require disclosures “in sufficient detail for a reasonable investor to understand those processes.” (See 17 C.F.R. 229.106(b)(1)). They do not require intimate details about the frequency of board discussions of cybersecurity or information about any director’s expertise in cybersecurity.
The practical: How to comply
Update (or establish) controls and procedures
Compliance starts with a written information security policy (a “WISP”) and security incident plan that documents how events are detected, evaluated, and escalated. Ask, “Does the board of directors or relevant management have the necessary experience to evaluate cyber risks and events?”
Registrants may also consider drafting a “playbook” of established procedures to avoid time-crunched, ad hoc decision making in the heat of an ongoing cybersecurity event.
Know your risks
Identifying the areas of risk allow a registrant to focus resources on detection, mitigation, and remediation of common danger zones, sure to be of interest to savvy investors. Top of mind should be:
- Cloud environments: 82% of breaches involved data stored in public cloud, private cloud, or across multiple environments (from IBM’s Cost of a Data Breach Report 2023).
- Remote workforce.
- Supply chain.
- Outsourced software development.
Find your way to Carnegie Hall (practice, practice, practice)
Paper plans rarely survive the crucible of an active security incident. Tabletop exercises build muscle memory for IT, legal, and executive-level stakeholders to ensure that procedures are followed and allow for accurate and timely reporting.
Don’t wait till the last minute
Security incidents may arise at any time, but end of the fiscal year disclosures do not. Begin drafting end-of-year disclosure sections now to allow for holistic input from stakeholders and board of directors’ review and approval. Carefully determine how to accurately and meaningfully describe risk assessment strategy and security programs without giving threat actors a blueprint for attacking your systems.