How to Comply With the SEC’s New Cybersecurity Rule
On July 26, 2023, the Securities and Exchange Commission (SEC) introduced new rules regarding cybersecurity risk management, strategy, governance, and incidents. Public companies subject to reporting requirements must comply with the changes to avoid rescission and other monetary penalties, not to mention the risk of legal action and reputation damage. Here, we look at the two new cybersecurity rules and how your company can comply.
Key Changes in the SEC's Cybersecurity Rule
SEC now requires registrants to disclose material cybersecurity incidents as well as material information regarding their cybersecurity risk management, strategy, and governance each year as follows:
- Item 1.05 of Form 8-K: Report within four days of an incident “any cybersecurity incident determined to be material and describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.” Delay might be granted if the U.S. Attorney General determines immediate disclosure presents “substantial risk to national security or public safety.”
- Regulation S-K Item 106: Requires registrants to describe any processes for “assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents” on their annual report on Form 10-K. Registrants must also describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
Compliance Timeline
Compliance timelines are as follows:
- Annual Form 10-K and Form 20-F cybersecurity disclosures: Disclosures begin with annual reports for fiscal years ending on or after December 15, 2023, for all registrants.
- Material cybersecurity incident disclosure on Form 8-K and Form 6-K: Non-SRC registrants must comply by December 18, 2023. SRCs have a 180-day extension until June 15, 2024.
- Structured data requirements Form 10-K and Form 20-F in Inline XBRL: All registrants must begin tagging their cybersecurity disclosures for fiscal years ending on or after December 15, 2024.
- Structured data requirements Form 8-K and Form 6-K in Inline XBRL: All registrants must begin tagging their material cybersecurity incident disclosures by December 18, 2024.
Overview of the Cybersecurity Rule's Disclosures
Cybersecurity disclosures include the following:
Material Cybersecurity Incident Disclosure Item 1.05 to Form 8-K. Item 1.05
Requires:
- The material aspects of the nature, scope, and timing of the incident; and
- The material impact or reasonably likely material impact on your business, including the financial condition and results of operations.
Risk Management, Strategy, and Governance Disclosure Item 106 to Regulation S-K
Requires:
- Disclosure of certain information regarding your cyber security risk management, strategy, and
- Information on governance in your annual reports on Form 10-K and comparable disclosure by FPIs in annual reports on Form 20-F.
Risk management Item 106 and Item 16K
Requires:
- Description of any processes for assessing, identifying, and managing material risks from cybersecurity threats; and
- Whether any risks from cybersecurity threats, including results of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect you.
The new rules include a non-exclusive list of disclosure items registrants should provide based on their facts and circumstances.
Governance, Item 106, and Item 16K
Requires:
- Description of the Board of directors’ oversight of risks from cybersecurity threats (including identifying any board committee or subcommittee responsible for such oversight); and
- Management’s role in assessing and managing material risks from cybersecurity threats.
Structured Data Requirements in Inline XBRL
Requires tagging:
- Block text tagging narrative disclosures; and
- Detail tagging quantitative amounts.
Who’s Responsible for Compliance?
Compliance calls for coordination across different business functions to ensure timely and accurate disclosures as follows:
Security
- Identifying, measuring, mitigating, and reporting on cyber risks
- Aligning safeguards and policies to those risks
- Partnering with finance and legal to evaluate incidents
Finance
- Creating documented policies, procedures, and internal controls to support timely disclosure and procedure requirements
- Estimating qualitative and quantitative materiality of incidents
- Determining current ability to comply with required disclosures
- Confirming incidents and risks with communication between:
o Geographies
o Business functions
o Business units
- Determining potential “material” effects of identified potential cyber incidents and risks both internally and third/nth parties
Risk
- Proactive management of top cyber risks internally and within third/nth parties
- Determining if current internal controls align with new SEC rules
- Assessing possible “material” effects of top cyber incidents and risks
Legal
- Plans to manage disclosure of legal risks
- Assessing potential legal challenges of “material” effects
- Preparing a process to report within four business days
- Identifying public safety or national security risks to report to the US Attorney General
Best Practices for Compliance
Best practices for compliance include:
Reporting Cybersecurity Incidents
- Establish a robust process for timely and accurate reporting.
- Conduct proactive tests of the escalation process to ensure effectiveness in critical situations
Determining Materiality of Breach or Attack
- Engage key stakeholders, including the CFO, General Counsel, CISO, CIO, and business leaders, in materiality assessments to ensure you make wise decisions on what would be considered an incident.
- Balance quantitative metrics and qualitative factors to help define the significance of a breach or attack.
Documentation of Materiality Determination
- Thorough documentation practices will provide transparent and justifiable materiality determinations.
- Documentation must be supported by transparency and clarity in processes when justifying conclusions to regulatory bodies.
Level of Information to Disclose
- Craft a disclosure strategy that maintains the confidentiality of cybersecurity procedures while meeting regulatory requirements.
- Use adaptable incident reporting templates to modify information as events unfold.
Reporting Within the Compliance Window
- Clarify the intricacies of the four-day timeframe for disclosing incidents to consider the work involved and whether it is plausible to meet the deadline.
- Highlight the commencement of the countdown upon the determination of materiality to ensure you meet deadlines.
Reporting Related Occurrences
- Your stakeholders need to define the nuanced requirement to report related occurrences deemed "material" to ensure you remain compliant.
- Place emphasis on the obligation to report events connected by a common malicious actor or vulnerability exploitation.
SEC Enforcement Actions and Consequences
2023 enforcement actions stressed the SEC’s desire to double down on enforcement, including:
- Asserting claims against non-financial individuals at public companies
- Focusing on disclosures beyond financial performance
- Alleging accounting control violations despite cases seeming to be unrelated to accounting
- Alleging disclosure control violations without an underlying false disclosure
- Litigation against public companies and executives
- Alleging SEC’s most serious violation, Section 10(b) intentional fraud
With the new rules in place, failing to comply can result in fines, penalties, legal actions, irreparable damage to a company's reputation and loss of shareholder trust.
Understanding the new disclosure rules, the impact and involvement for your organization’s business functions and best practices will help you create effective policies and processes to ensure SEC compliance while maintaining client and shareholder trust.
Taking proactive steps will avoid unpleasant surprises and enhance cybersecurity practices. Contact Blameless to discuss how we can help.