Breaking Down the New SEC Cybersecurity Rules
- Cyber Breach
- 4 Mins
On July 26, the Securities and Exchange Commission (SEC) adopted new cybersecurity rules. Organizations will need to disclose material cyber incidents pursuant to a prescribed timeline and information regarding risk management, strategy, and governance on an annual basis. The goal is to bring consistency to the disclosure process to benefit both organizations and their investors. Any business registered under the SEC is subject to these updates and should take steps now to comply.
The new SEC rules will require process reevaluation and changes. Leadership teams and legal departments must work together to make updates and maintain adherence to the new standards. Here is an overview of the key additions:
- When a material cybersecurity incident occurs, organizations need to disclose it on Form 8-K within four days after deeming it material. The disclosure must include the material nature, scope, timing, and impact of the breach. There is a narrow exception to the four-day rule if the U.S. Attorney General determines that disclosure would be a substantial risk to national security or public safety.
- In the annual report on Form 10-K, organizations now must include three new categories of information. The first is all active processes for assessing, identifying, and managing material risks from cybersecurity threats. The second is any material effects of risks from cybersecurity threats and prior incidents. The last is a description of the board of directors’ oversight of cybersecurity risks stemming from threats and management’s role and expertise in assessing and managing material cyber risk from these threats.
- Foreign private issuers will also need to provide the same disclosures listed above on Form 6-K for incident data and Form 20-F for risk management, strategy, and governance efforts.
- The rules go into effect 30 days following publication in the Federal Register. Public companies will be required to comply with new form disclosures for cyber incidents starting Dec. 18, 2023. Smaller reporting companies have a longer grace period until June 15, 2024. To be considered smaller, a company must fall within one of the following categories: The first applies to those with less than $250 million of public float. The second applies to those with less than $100 million in annual revenues and either no public float or a public float less than $700 million. The risk management, strategy, and governance disclosures need to be included in an organization’s first annual report for fiscal years ending on Dec. 15, 2023 or thereafter.
On initial release, the four-day rule has caused some concern over how early in the process this is, as remediation will likely still be occurring. Anticipated obstacles include meeting the tight timeline, not having the full picture of what data was breached and who to notify, correctly labeling breaches as material, and lack of clarity over whether this would obviate the need for individual notice. There may be some hesitancy or confusion on when to report cyber incidents, incomplete reporting from not having enough information available, and concern over false reporting an event. Current best practice runs counter to the new rule’s approach. It guides that there should be no reporting until absolutely sure a breach occurred and it is stopped. Also, that the organization understands the scope and that reporting facts prematurely or inaccurately exposes them to other types of risks and repercussions. The incident rule also applies to breaches involving third-party providers. Having a trusted relationship with providers needs to be prioritized, as does having a mature process for vetting and approving providers. This should include assessment of their cyber posture and preparedness.
The SEC made changes in the final version of the rules to address some of these worries, including not requiring disclosure of technical details for a breach. Also, by leaving room for judgement on what is considered material and when the four-day timer begins. This is fact-dependent. There will be more clarity on how the SEC addresses remaining questions once reporting begins. Taking steps to comply beforehand will place an organization in the best position to respond quickly, while also creating a better culture of cybersecurity management and governance.
All organizations should strive to develop good cyber hygiene. As the threat landscape evolves and new tools trend, the compliance standard will also change. The new SEC rules underscore the serious threat cyber incidents pose and how to respond in a uniform expedient manner. This is a C-suite level initiative and there needs to be board-level attention on minimizing, managing, and responding to cyber risk. This can be accomplished by having a robust cyber incident preparedness and response plan. For those organizations who already have one in place, it is time to review and update it to comply with the new rules. Legal should also be a key player in this process.
Many organizations and legal departments will need to get up to speed on understanding the requirements for their incident response plans and remediation process. Grasping the steps and time involved in responding to an actual event is crucial. The focus should be on ways to improve preparedness such as having regular tabletop exercises, employee training on how to report suspected breaches, designated incident contacts, escalation processes, tools to monitor attack trends and security vulnerabilities, and increased involvement by the C-suite. All of this will help organizations pinpoint potential threats so they can take appropriate steps to limit risk, manage information better, and respond to incidents quickly – all while remaining compliant.
Having a relationship with a provider that can offer both proactive planning and response efforts is a game changer. This will ensure that the C-suite, legal, and other important actors are aligned on cybersecurity initiatives and ready to respond in the event of a breach. Since breaches involving third-party provider systems also need to be reported, having a longstanding partnership will allow for more seamless communication to aid with fulfilling reporting requirements. On annual reports, organizations will also need to include information about providers and consultants that assist with cybersecurity planning and response programs.
The contents of this article are intended to convey general information only and not to provide legal advice or opinions.