Navigating the New SEC Rules for Cyber Disclosure – What You Need to Know
Back in July, the SEC (Securities and Exchange Commission) announced its final rule for Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure to provide greater transparency and consistent information for investors. These requirements are crucial to keep your business compliant with the regulation, and it’s important that your team is prepared for this shift.
Why is this guidance in place?
The SEC has created this new set of rules to create more visibility into cybersecurity risk management, strategy and governance for investors, stakeholders, and the impact that cybersecurity risk may have on investment values. It also speeds up reporting and provides further detail of cybersecurity incidents, which can help improve available information to help others possibly prevent incidents.
Who does this affect?
This will affect all businesses subject to SEC regulations.
When does this go into effect?
The material incident disclosure requirements go into effect on December 18, 2023, with a 180-day deferral for smaller reporting companies, making their effective date June 15, 2024. Disclosures for risk management, strategy and governance on 10-K forms would be effective for all registrants for fiscal years ending on or after December 15, 2023.
What does the new guidance cover?
This new rule can be broken into two categories: disclosure of incidents and disclosure of strategy, risk management and governance. Within each of these categories, companies have new guidance on how they must approach cybersecurity to remain compliant with the SEC’s regulations.
Disclosure of Incidents
Under this new guidance, companies must disclose a cyber incident using a Form 8-K within four days of determining that the incident is material.
Since determining if the incident is material is key to the regulation, the guidance states that it is to take place “without unreasonable delay.” There is an exception to this rule, however. If the US Attorney General determines that the public disclosure could have an impact on national security or public safety, a delay is authorized.
When it comes to determining if the incident was material or not, which is up to the individual company, there should be quantitative and qualitative factors considered, including effects on reputation, customer and vendor relationships, legal and regulatory compliance issues, etc. This also includes any series of related occurrences tied to a specific incident, whether it is from the same vulnerability or the same malicious actor, and how those related incidents have or will impact the organization and its stakeholders.
It’s important to note that there are some clarifications to this rule that help organizations streamline the process of disclosing incidents and the associated information. The SEC has clarified that disclosures do not need to include specific or technical information, which is helpful in getting the word out within the 48-hour rule, and without having to go into too much detail. Additionally, organizations may include a provision that states the 8-K may be updated as new information becomes available or additional implications are discovered.
Disclosure of Strategy, Risk Management & Governance
The new rules create significant changes for disclosure of cyber strategy, risk management and governance to create a more streamlined, principles-based approach. Essentially, in their annual Form 10-K filings, businesses must disclose their process for assessing, identifying, and managing risk related to cybersecurity threats. They also must disclose how these risks, including past incidents, are likely to affect the registrant in a much greater level of detail than most organizations have in the past.
Companies must disclose the board of directors’ oversight of risks from cybersecurity threats and the process by which they stay consistently informed, as well the role and expertise of management in assessing and disclosing risk. Organizations no longer need to disclose the specific expertise on certain cybersecurity capabilities available internally, including the names of those individuals who possess the expertise.
Even though this is not mandatory to report, businesses should still consider whether they need expertise on the board or if they’d rather outsource that knowledge. This consideration will help ensure they are not left at a disadvantage as they increase their digital footprint and bad actors become more sophisticated in their cyberattacks.
In both instances, it is important to have detailed procedures for incident management in place prior to the event occurring. Legal council should be involved in determining how much information to report on both the 8-K and 10-K forms.
How ivision can help.
ivision’s Security Team has used the last five months since this announcement becoming familiar with the ins and outs of this new guidance and how to help clients navigate this transition. Whether it’s reporting on incidents, enhancing your cybersecurity strategy, or managing risk, our team of experts is eager to help take the heavy lifting off your team. We will learn your business and its nuances to fill gaps and make improvements to your current infrastructure that will reduce cybersecurity risk and reduce headaches for your team. Contact us today to get started!