The Securities and Exchange Commission’s “watchful eye” over cybersecurity issues became much more focused in July 2023 when it finalized new cybersecurity disclosure mandates. The new disclosure rules, which went into effect September 5, 2023, are more rigorous and include specific requirements for registrants for fiscal years that end on or after December 15, 2023. These include enhanced and standardized risk management, strategy, governance and incident disclosures.
The new rules require registrants to disclose cybersecurity incidents to the SEC in a timely manner and to disclose risk management, governance and strategy measures annually.
In other words, if your company experiences a material incident, you must inform the SEC. And once a year, even if you haven’t had a material event, you must update your annual reporting to describe what is being done to prevent incidents. The timing of your disclosure after an incident is important. If an event is determined to be material, you must disclose it within four business days of the materiality determination. If that determination is on a Saturday or Sunday, you have until Thursday to submit the report. Similarly, if the determination occurs on a holiday when the SEC is closed, you have until four business days after that holiday.
You must file a report for every event that has a “material impact” on your business. SEC guidance says a matter is material if there is a substantial likelihood that a reasonable shareholder would consider it important.
Let’s consider a brief example that illustrates how to determine materiality.
Suppose that an investment analyst at a trading firm gets a suspicious email. The message appears to come from the IT department and says the analyst needs to click a link to update their login info for the firm’s trading software.
Thanks to cyber awareness training, the analyst checks the sender’s email address and sees that it doesn’t match anyone in IT’s contact info. So, they report it to IT and move on with their day. Many firms wouldn’t consider this incident to meet the materiality standards outlined by the SEC because there was no significant impact on the company’s operations, decisions or customers.
But, if the analyst clicks the link, enters their username and password into a fake website, and a week later, someone logs into the system from a foreign IP address using the analyst’s information and steals customer billing data, the incident potentially meets the materiality standard.
Responsible firms, and likely the SEC, would consider this materially significant because there was an actual data breach, and the criminals stole sensitive information.
The annual risk management disclosure should include details about how your organization’s risks are connected to cyber incidents — including enough detail to answer basic questions an investor may ask. This may include information about:
Using Form 8-K, your organization must also disclose risks that have had a material impact on the company, its operations or its finances. This includes risks stemming from previous incidents before the new regulations took effect on September 5, 2023.
Even though you can comply with the SEC’s new rules by simply disclosing information, you’ll also want to evaluate the current strength of your cybersecurity defense strategy. Here are some key considerations.
As discussed above, you must disclose information about significant events and how you manage your risk. Failure to do so could result in substantial penalties, as well as reputational damage.
In some situations, you may be able to save time by not reporting information that you’ve already filed in a previous report. For instance, if you’ve hired an external company to monitor, mitigate and report attacks on your network, and that hasn’t changed since your last filing, you can simply refer to what you’ve already submitted. However, it’s essential to review the details of any measures you’ve put in place to ensure there haven't been any changes.
The SEC also specifically instructs registrants to ensure all reported information is accurate, especially regarding events of material importance. To ensure this happens, save time and avoid costly errors, you may want to secure professional assistance.
A disclosure system will save you time, boost accuracy and streamline the process for providing the SEC's required information. Your disclosure mechanism may include frameworks for updating and reporting your:
A cyber risk assessment outlines your company's vulnerabilities, risk mitigation tools and procedures, and an inventory of your IT systems.
To cover all your bases, a comprehensive cyber risk assessment may also include quantifying your risks. This involves assessing how much financial or operational damage a risk poses. For example, a four-day ransomware attack on your internal web server may cause six days of total downtime for 18 employees. This could result in a specific amount of lost revenue, the value of which would depend on each employee’s role in your operations.
You can also use the National Institute of Standards and Technology (NIST) framework or other comparable cybersecurity frameworks to streamline the risk assessment process. These guidelines make it easier to segment your risk analysis, breaking it into a series of steps. With the NIST framework, you have a reliable structure for defining the scope and objectives of your cyber risk assessment system. NIST also makes it easier to identify, assess and prioritize your risks.
Tabletop exercises are simulations designed to put your organization’s cyber response systems to the test. They typically involve stakeholders such as IT team members, department managers, system administrators, engineers, compliance officers, information security officials, legal counsel and financial leadership.
For many companies, a tabletop exercise would also include public affairs and corporate governance leaders. Involving these stakeholders ensures you address procedural actions and the reputational impact of an assault.
A tabletop exercise may include simulated:
According to the SEC’s new rules, a company must disclose whether it has “processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.” This makes it essential to evaluate the systems and tools your third-party vendors have for mitigating cyber risks. For example, you should:
In addition to gathering this information, it’s also important to ensure vendors understand their obligations when it comes to reporting incidents to your organization in a timely manner. You may have to adjust current contracts to make sure they require vendors to report incidents on time.
There’s significant overlap between the Sarbanes-Oxley Act (SOX) requirements and the SEC’s new rules. For instance, SOX Section 404 outlines that managers are responsible for “creating and maintaining controls to manage the risks that could cause inaccurate, incomplete or fraudulent data” during the disclosure process. By conforming to SOX requirements, you may be able to check off two boxes with one stroke.
Similar to the SEC’s new rules, SOX compliance involves making sure proper controls are in place to identify and report on incidents. Many of these incidents would involve data theft or corruption, putting them under the purview of the SEC’s new rules as well.
In addition, SOX requires you to integrate your data security controls with your financial reporting systems. For example, using strong authentication controls (such as multi-factor authentication) to secure your financial systems would make it harder to compromise the data in that system. This keeps data safe both while at rest and in transit.
Preparing for the new SEC cybersecurity incident and annual reporting requirements and timeframes can be challenging. Get clarity and peace of mind that you’re ready. Contact our cybersecurity experts for help with a NIST-based risk assessment to strengthen your cybersecurity program, identify and implement proper controls, and maintain SEC compliance.
