The Securities and Exchange Commission is raising the bar for enterprise cybersecurity with new disclosure and management rules for public companies that will take effect Sept. 5.
The rules received mixed reaction as some championed the top-down accountability for security incidents or mishaps. Others say the rules are a big lift that could at times put companies at risk.
Yet, the SEC has emphasized the widespread need for more "timely and reliable" cybersecurity information because so much economic activity is reliant on electronic systems, which, if disrupted, can have cascading effects, the agency said in the Federal Register.
Businesses have also seen a rapid increase in the number of security incidents and associated costs, including "business interruption, lost revenue, ransom payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost assets, litigation risks and reputational damage," the SEC said.
The rules move to streamline and create consistency over where companies will make security disclosures and what they should entail. Now, companies use an array of forms with varying levels of detail.
Cybersecurity Dive has broken down what to expect from the rules in the coming weeks and months:
When do the rules take effect?
Sept. 5
What will companies have to disclose?
Material cybersecurity incidents:
Companies are required to disclose any material security incident and outline its nature, scope, the timing of the incident, and its likely impact. Companies have four business days after determining an incident is material to file a Form 8-K, Item 1.05. But, if the U.S. attorney general says immediate disclosure would create substantial national security or public safety risk, companies can delay disclosure.
The SEC is also requiring companies to amend their initial 8-K filings to disclose incident information that was not previously determined or available.
Foreign private issuers will use a Form 6-K to detail material cyber incidents they disclose or publicize outside the U.S. to any stock exchange or stockholders.
Risk management and strategy:
Companies will have to describe how they manage cyberthreats, including how they assess and identify threats. A key element is for companies to outline if a cyberthreat has "materially affected or are reasonably likely to materially affect" their overall finances, operations or business strategy. This falls under Regulation S–K Item 106(b).
Governance:
Companies will have to outline the board's involvement in overseeing cyberthreat risks and detail how management assesses and manages the material risks of cyberthreats. While this falls under Regulation S–K Item 106(c), foreign private issuers will use Form 20-F.
When will the SEC start enforcing the rules?
Companies will have to start making governance and risk management strategy disclosures in annual reports for fiscal years that end on or after Dec. 15.
Companies will have to start meeting incident disclosure requirements on Dec. 18. Smaller companies will have until June 15, 2024 to meet the incident disclosure requirements.
What is a 'material' incident?
The SEC wants companies to focus incident disclosures on what they determine is material to their business, rather than setting broad and prescriptive rules. The agency pointed out that a company could use quantitative and qualitative outcomes to determine if something is material.
For example, an incident could harm a company's reputation, its relationship with customers and vendors and its ability to compete, all of which could be material to a company's performance, the SEC said.
In essence, something is material if a "reasonable investor" would consider an incident significant to a company.
The SEC received numerous comments that tackled the "material" aspect of incident disclosure and its timing, including suggestions to extend the timeline for disclosure. Some were concerned that a tight timeline could create "false positives," where incidents appeared material at first blush, only for companies to later determine the incident was not material.
Others wanted a more tangible trigger for determining what was material, such as incidents implicating a certain percent of revenue.
Even with the pushback, the SEC remains "convinced that investors need timely, standardized disclosure regarding cybersecurity incidents materially affecting registrants' businesses." The current regulatory landscape does not offer consistent and informative cybersecurity incident disclosure, the SEC said.
The agency's compromise, however, was to narrow what companies had to disclose and create a delay for national security and public safety risks.
The SEC will not require companies to disclose specific or technical information about their planned incident response or their security systems and potential vulnerabilities.
What if there is a third-party involved?
To the SEC, when determining an incident is material, it doesn't matter where a system resided. "We do not believe a reasonable investor would view a significant breach of a registrant's data as immaterial merely because the data were housed on a third-party system," the SEC said.
In some cases, when a third-party system incident occurs, both the provider and its customers will need to make a disclosure, a scenario that has recently played out with MOVEit file-transfer vulnerabilities and exploits.
"We appreciate that companies may have reduced visibility into third-party systems; registrants should disclose based on the information available to them," the SEC said.