On July 26, 2023, the SEC issued a final rule, ushering in a new era of transparency in cybersecurity disclosures for public companies. In a world where digital technology, AI, hybrid work setups, cryptocurrencies, and cyber threats are on the rise, consistent and reliable access to cybersecurity information is crucial for investors.
The new SEC rule aims to standardize and enhance disclosures concerning cybersecurity risks, governance, strategies, and incidents. For public companies, this rule brings about significant changes and responsibilities in their cybersecurity reporting.
Overview of Final Rules
The final rules issued by the SEC are categorized into three key areas:
Disclosure of Cybersecurity Incidents:
Companies must report "material" cybersecurity incidents within four business days, based on a materiality assessment without "unreasonable delay".
This disclosure should include the incident's impact or reasonably likely material impact.
Disclose if one or more of the above-required items is not determined or is unavailable at the time of the filing.
Periodic Form 8-K Item 1.05
Disclosure of Cybersecurity Risk, Management, and Strategy:
Public companies must disclose their processes for assessing, identifying, and managing material cybersecurity risks.They also need to describe their board's oversight of cybersecurity threats and how management reports cybersecurity information.
Describe risks, including those resulting from previous incidents that have materially affected or are reasonably likely to materially affect business strategy, results of operations, or financial condition.
Disclose whether the cybersecurity program engages consultants, auditors, or other third parties, as well as the processes to identify and manage risk from third parties.
Annually 10-K, Regulation S-K Item 106(b)
Disclosure of Cybersecurity Governance:
This area focuses on describing the board's oversight of cybersecurity risks and the management committees responsible for assessing and managing cyber risks.
Disclose whether and how management reports cybersecurity information to the board or a committee or subcommittee of the board.
Annually 10-K, Regulation S-K Item 106(c)
The materiality of an incident is determined by the company's own evaluation, and it's essential for companies to align their practices with these new rules.
Preparing for Compliance
Here are practical steps companies can take to prepare for and comply with the SEC's new cybersecurity rules:
Conduct an SEC Readiness Assessment: Safeguard your organization's reputation by identifying potential risks and developing response capabilities while complying with SEC rules.
Evolve Cyber Incident Response and Reporting Capabilities: Define materiality criteria, continue to meet disclosure obligations, and learn from past incidents to maintain investor confidence.
Apply Stakeholder Coordination and Orchestration Processes: Develop broad disclosure capabilities that facilitate timely and transparent disclosures.
Enhance the Cybersecurity Governance Framework: Strengthen governance, foster a culture of responsibility, and identify board committees responsible for cybersecurity oversight.
Effective cybersecurity capabilities form the foundation of compliance and can help companies transition from viewing technology as a cost center to a revenue enabler.
Why Compliance Matters
Technology now makes up a significant portion of a company's structure. The failure of technology can have catastrophic consequences, making cybersecurity a top priority. The average cost of a cybersecurity breach can run into the millions, and organizations must take steps to protect their assets, reputation, and investor trust.
The SEC's new rules are a call to action, challenging organizations to expand their cybersecurity disclosures to safeguard investor interests, enhance transparency, and mitigate risks effectively. Preparing for these new disclosure requirements is essential, and organizations are advised to conduct readiness assessments, strengthen their cybersecurity governance, and prepare for timely and comprehensive disclosures.
In this age of increased cybersecurity threats, the SEC's new rules provide a framework for companies to protect themselves and their investors from the potential harm caused by a cybersecurity breach. Transparency and readiness are key in navigating this new era of cybersecurity disclosures.
Disclosure:
Securities and Exchange Commission (SEC), “SEC adopts rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies,” press release, July 26, 2023.
As per SEC, the materiality of an incident is based on the company’s evaluation of the incident.
The above list is not an exhaustive compilation of all the actions that should be taken or capabilities deployed. Additional cybersecurity measures and leading practices may also be required to determine protection and compliance with SEC requirements for cybersecurity disclosures.