SEC Final Rules on Public Company Cybersecurity Disclosures - What Should You Know
The SEC announced its final rules on cybersecurity incident disclosures in July.
Introduction
In July the Securities and Exchange Commission (SEC) adopted new rules requiring public companies to disclose material cybersecurity incidents. The rules also address corporate strategy, governance, and incident disclosures by public companies (the “Cybersecurity Rules”). This article briefly highlights some key issues that may impact your organization.
Required Disclosure
The Cybersecurity Rules require disclosure of “material cybersecurity incidents”. Companies must provide the disclosure within four business days from the date a cyber incident is determined to be “material”. This date may be different from the date on which the incident is discovered, and as such, this distinction may be challenging to implement.
Who is Impacted and What is Filed?
Covered entities include all issuers of securities that file annual reports on Form 10-K or Form 20-F. These companies should promptly review their cybersecurity policies and procedures.
Annual reports on Forms 10-K and 20-F should include the new material cybersecurity incident disclosures for the fiscal years ending on or after December 15, 2023. This means that calendar-year issuers must comply with the new rules in this year’s annual reports.
Issuers must begin reporting the information required under the new Item 1.05 on Form 8-Ks starting on December 18, 2023, as well as Form 6-Ks. Smaller reporting companies will have an additional 180 days before they must begin complying with the new Form 8-K requirements.
Cybersecurity Rulemaking
This is the SEC’s first foray into cybersecurity rulemaking. Several additional cyber disclosure and risk management proposals are pending final review, so expect more from the SEC regarding cybersecurity disclosures. The SEC has been moving in this direction since 2000, when it issued Regulation S-P, which requires broker-dealers, registered funds, and investment advisers to create written policies and procedures that address how customer records and data are safeguarded. In 2018 the SEC issued a statement on cybersecurity disclosures that touched on materiality of incidents. In short, watch this space and expect more to come.
Materiality
A covered entity must determine whether the incident is material or not. When making the materiality determination, companies should use the same standard that generally applies under federal securities laws. In other words:
Information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or
If it would “have significantly altered the ‘total mix’ of information made available” to the investor.
Materiality Remains Subjective
Materiality remains in the eye of the beholder. Covered companies will need to define this for themselves. The government has afforded issuers space to judge materiality based on prior SEC guidance and legal jurisprudence to date.
Issuers must assess both quantitative and qualitative impacts. The SEC notes that a lack of quantifiable harm does not necessarily mean an incident is not material. For example, reputational harm may not be easily quantifiable, but it is likely to be material.
The conversation on how to define materiality in the cybersecurity context will likely go on for some time, and it may be murky at first, especially for businesses without significant experience.
3rd Party Incidents
The Cybersecurity Rules introduce the topic of “systemic risk” into the enterprise risk analysis.
In analyzing a cyber incident, issuers must consider the third-party ecosystem. If an incident occurs within a third-party’s systems, the issuer must interpret materiality within its own business environment.
In short, the Cybersecurity Rules may introduce a new burden on the technology firms that have introduced systemic risk into the markets. One of the thousands of users of a service could report the incident as material, and such a report may have ripple effects.
“CISO Liability”: A Concern
Many chief information systems officers (CISOs) are concerned about personal liability when handling any incident. One result of the new Cybersecurity Rules may be the elevation of the role of the CISO, especially if their liability for cybersecurity reporting increases.
Recalling the story of Joe Sullivan, the first step for avoiding personal liability is to not withhold, cover up, or falsify information.
But what if there is a disagreement about materiality that results in under reporting? Who then is responsible? Moreover, is the CISO the right person to analyze what a “reasonable shareholder” believes is material? Clearly, any cybersecurity incident must involve lawyers to aid the CISO and IT staff.
Some of these fears may be unfounded, but all CISOs, particularly at publicly traded companies, are paying attention. In the end, expect more accountability for CISOs and the management team.
What Next Steps Should You Consider?
Awareness
First, your organization must be aware of cybersecurity incidents. This requires some sort of third-party risk monitoring. Companies must understand what cybersecurity resources are insourced and outsourced. Many tactical steps are required and organizations will need to develop these processes if they don’t already exist. The steps include the following:
Understand what existing processes are
Understand how threats and breaches are detected
Determine how to comply and respond
Heuristics
CISOs must go beyond speaking about threats and controls in broad terms. The IT security staff will need to develop a heuristic to analyze certain types of incidents and explain what the company’s response should be.
Build a Team
An appropriate disclosure under the Cybersecurity Rules will demand input from a multidisciplinary team. This team should include stakeholders from IT, engineering, general counsel, finance, HR, and management.
Update Risk Management Program Processes
The SEC changed the language in the final rule to require a disclosure of “processes”, rather than the existence of “policies and procedures.” Companies must invest significant calories to revisit and update their incident response processes. The team managing cybersecurity risks must be able to internally document the following:
(1) threat identification
(2) incident identification
(3) assess the impact on systems (people, process, technologies, networks, emerging technologies, procurements, etc.)
(4) assess the impact on qualitative and quantitative drivers (revenue, market value, balance sheets, employee productivity, reputation, etc.)
(5) assess the impact on stakeholders, and finally,
(6) determine materiality.
Accounting for all this, the team must then decide how to communicate organization's publicly disclosable processes?
Governance
The board of directors and senior management should understand their roles in the disclosure process and expectations for clear communication. Expect both the C-Suite and middle management to become more involved in cybersecurity incidents. The shared focus should be on process maturity and transparency.
A Missed Opportunity?
The new Cybersecurity Rules are both a game changer and, perhaps, a missed opportunity.
The game changer is the materiality issue. The board and senior leaders must understand how information systems create value for the company as well as risk. Moreover, they must understand how information systems support and interact with business to fully appreciate and decide the issue of materiality.
The missed opportunity is that the SEC could have required boards to include someone with a cybersecurity background. Time will tell. Perhaps the SEC will enforce future disciplinary actions that may compel some companies to elevate a former CISO to the board room to clearly communicate cybersecurity-related impacts to the business.
Conclusion
For many issuers, preparing to comply with the Cybersecurity Rules will require significant effort in the near term. If your organization needs help maturing its governance, risk, and compliance (GRC), privacy, or data protection programs, 1 Global Data Protection Advisors (1GDPA) can help. Reach out for a free consultation at any time.
