April 29, 2024
The U.S. Securities and Exchange Commission (SEC) has a long history of providing guidance on cybersecurity for publicly traded companies. Over the years, the SEC has emphasized disclosing material cybersecurity risks and incidents to investors. The latest final rule, released in 2023, represents a significant evolution in the SEC’s approach to cybersecurity disclosure. This post comprehensively analyzes the new rules, including detailed examples, insights from our perspective, and actionable advice for boards, executives, and incident response teams.
The SEC’s focus on cybersecurity began in earnest in 2011 when the Division of Corporation Finance issued guidance on cybersecurity disclosures. This guidance clarified that although no existing disclosure requirement explicitly referred to cybersecurity risks and cyber incidents, several requirements may impose an obligation on registrants to disclose such risks and incidents.
In 2018, the SEC issued interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. This guidance emphasized the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents, and the application of insider trading prohibitions in the cybersecurity context.
The 2023 final rule represents a significant step forward in the SEC’s approach to cybersecurity disclosure. It provides more detailed requirements for disclosing cybersecurity risks and incidents and emphasizes the board’s role in overseeing cybersecurity risk management.
The new final rule requires companies to disclose material cybersecurity risks and incidents promptly. It also requires companies to describe their cybersecurity risk management, including the board’s role in overseeing these processes.
For example, suppose a company suffers a significant data breach. In that case, it must disclose the nature and consequences of the breach, its response and remediation efforts, and the potential future impact on the company. The company must also disclose whether the breach has informed material changes in its governance, policies, procedures, or technologies.
The final rule also requires companies to disclose if they have a cybersecurity risk assessment program and to describe the program. This includes describing how companies approach the identification and management of cybersecurity threats. Companies must disclose whether they engage assessors, consultants, auditors, or other third parties in connection with their cybersecurity risk assessment program.
The rule also emphasizes the role of the board in overseeing cybersecurity risks. The board should have processes to be informed about cybersecurity risks and incidents. This includes regular updates from management or the company’s cybersecurity team.
The final rule’s four-business-day requirement will be a game-changer for many public companies. Organizations must have a robust breach response process, including regular tabletop exercises that simulate how they would gather data about an incident, determine its materiality, and report within the four-day window. This is not trivial, given that comprehending the root cause analysis (RCA) and assessing the damage from many attacks can take significantly longer.
This requirement also underscores the need for a well-crafted communications plan. In the wake of a cybersecurity incident, public companies must manage press inquiries and social media chatter that could alarm investors, shareholders, and consumers. A well-executed communications plan can help control the narrative, providing reassurance while complying with the disclosure requirements.
The reporting requirement could also be seen as a double-edged sword. While it promotes transparency and timeliness, it may not allow a thorough understanding of the threat or attack type. This could lead to initial reports lacking crucial details, which might be a point of contention. It’s important to note that the four-day countdown begins when materiality is determined, not from the initial detection of the breach. This emphasizes the need for a swift and effective process to assess the materiality of an incident, underscoring the importance of cyber preparedness and agility in today’s public markets.
As part of developing the final rule, the SEC received numerous public comments about various proposed amendments. Here are the amendments which were notably influenced by the public.
Material Future Impacts: Some commenters found the proposed requirement to disclose “any potential material future impacts” vague and difficult to apply. They urged for it to be removed or revised. The final rule considered these comments, aiming to provide more precise guidance.
Progress on Remediation: Commenters expressed concerns about the requirement to disclose progress on remediation, noting that such information could expose them to more attacks. Some suggested that no updates should be required until remediation is sufficiently complete. These comments were considered in the final rule, leading to modifications in the disclosure requirements.
Changes in Policies and Procedures: Some commenters felt that the requirement to disclose changes in policies and procedures was unnecessary and overly broad. One commenter suggested narrowing the requirement to “material changes.” The final rule considered these comments, resulting in a more streamlined approach to disclosure requirements.
Differentiating Updates: Commenters sought clarification on determining instances where updates should be included in periodic reports from cases in which updates should be filed on Form 8-K—the final rule aimed to provide more explicit guidance in response to these comments.
Smaller Reporting Companies: The final rule also considered comments related to smaller reporting companies. In response to the remarks raised by commenters, the SEC adopted a later compliance date for smaller reporting companies.
Structured Data Requirements: The final rule also considered comments related to structured data requirements. While the details of these comments are not specified in the extracted text, it’s clear that the SEC considered these comments when formulating the final rule.
These examples demonstrate how the SEC considered the feedback from public commenters when formulating the final rule, leading to modifications in several areas to address the comments’ concerns.
Determining the materiality of a cybersecurity incident is a critical step in incident response. Materiality should be defined in terms of the potential impact of the incident on the company’s operations, financial performance, and reputation. This includes direct impacts, such as the cost of responding to and recovering from the incident, and indirect impacts, such as damage to the company’s reputation and potential legal and regulatory consequences.
The process for determining materiality should involve several critical roles within the organization. The incident response team should identify and assess the incident, including determining its scope and potential impact. The Chief Information Security Officer (CISO) should oversee this process and communicate the details of the incident to the executive team and the board. The chief legal counsel should advise on the legal implications of the incident, including potential violations of laws or regulations and potential litigation risks.
The executive team and the board should make the final determination of materiality based on the information provided by the incident response team, the CISO, and the chief legal counsel. They should consider the potential impact of the incident on the company’s strategic plans, financial performance, and reputation.
While the new final rule represents a significant step forward in the SEC’s cybersecurity disclosure approach, it has shortcomings. One potential criticism is that the rule may not go far enough in requiring companies to disclose specific details about their cybersecurity risk management practices. For example, the rule requires companies to disclose whether they have a cybersecurity risk assessment program. Still, it does not require them to disclose specific details about the program, such as the methodologies used or the frequency of assessments.
Another potential criticism is that the rule may need to provide more guidance on determining the materiality of a cybersecurity incident. The rule states that companies must disclose material cybersecurity incidents promptly but does not give specific criteria for determining materiality. This could lead to inconsistent disclosures and make it difficult for investors to compare companies’ cybersecurity risks and incidents.
To address these shortcomings, the SEC could provide more detailed guidance on what companies should include in their disclosures about their cybersecurity risk management practices. The SEC could also consider providing more specific criteria for determining the materiality of a cybersecurity incident, such as thresholds based on the potential financial impact of the incident or the number of individuals affected.
The new final rule contains several nuances that companies should be aware of. One such nuance is the emphasis on the board’s role in overseeing cybersecurity risk management. This represents a shift from previous guidance focused primarily on the company’s management. Under the new rule, the board is expected to take an active role in understanding the company’s cybersecurity risks and the measures in place to manage those risks. This includes receiving regular updates on the company’s cybersecurity risks and incidents and understanding how these risks are integrated into the company’s business strategy and financial planning.
Another is the requirement to disclose whether previous cybersecurity incidents have informed company governance changes, policies, procedures, or technologies. This requirement recognizes that cybersecurity is not a static field and that companies should continually learn from their experiences and adapt their practices accordingly.
A third nuance is the requirement to disclose the company’s use of third-party service providers in managing cybersecurity risks. This requirement recognizes the significant role that third-party service providers often play in a company’s cybersecurity risk management and the potential risks associated with these providers.
Most public companies already have some level of cyber risk management in place. However, the new final rule will likely drive significant changes in these programs. Companies will need to ensure that their programs can identify and manage material cybersecurity risks and have processes in place to disclose these risks promptly.
Companies must also ensure that their boards actively oversee cyber risk management programs. This may require providing additional training (such as what NACD provides) to board members to ensure they understand the company’s cybersecurity risks and the measures to manage them.
Finally, companies must ensure that their cyber risk management programs are integrated with their business strategy and financial planning. This may require closer collaboration between the company’s cybersecurity team, executive management, and the board.
For boards, the new final rule underscores the importance of active involvement in overseeing the company’s cybersecurity risk management. Boards should receive regular updates on the company’s cybersecurity risks and incidents and understand how they are integrated into its business strategy and financial planning.
For executives, the new final rule emphasizes the importance of understanding the company’s cybersecurity risks and the measures in place to manage those risks. Executives should work closely with the company’s cybersecurity team to ensure that the company’s cyber risk management program is effective and that material cybersecurity risks and incidents are disclosed promptly.
For incident response teams, the new final rule highlights the importance of promptly identifying and assessing cybersecurity incidents. Teams should have processes in place to provide leadership and counsel with sufficient information to decide on the materiality of an incident and promptly disclose the incident if it is material.
The new final rule will likely have significant implications for public and pre-IPO companies. For public companies, the rule will probably drive changes in their cyber risk management programs and their approach to disclosing cybersecurity risks and incidents. For pre-IPO companies, the rule may influence their decision to go public, as they must ensure they have robust cyber risk management programs and are prepared to comply with the disclosure requirements.
The new rule may also influence other regulators and standard-setting bodies in the U.S. and internationally. It could lead to more consistent and comprehensive disclosure requirements for cybersecurity risks and incidents, benefiting companies and investors.
Many public companies are subject to other incident reporting requirements, such as those imposed by the North American Electric Reliability Corporation (NERC), the Federal Trade Commission’s Gramm-Leach-Bliley Act (FTC GLBA), and the Transportation Security Administration (TSA). The new final rule is consistent with these requirements, emphasizing promptly disclosing material cybersecurity incidents.
Companies could create efficiencies by aligning their processes to comply with these requirements. For example, they could establish a centralized incident response team responsible for identifying and assessing cybersecurity incidents and determining which incidents need to be reported under which requirements. They could also use a single system for tracking and reporting cybersecurity incidents, which could help ensure consistent and timely disclosures.
The new final rule represents a significant evolution in the SEC’s approach to cybersecurity disclosure. It provides more detailed requirements for disclosing cybersecurity risks and incidents and emphasizes the board’s role in overseeing cybersecurity risk management. While the rule has shortcomings, it represents a significant step forward in promoting transparency and accountability in cybersecurity risk management. By understanding and effectively implementing the new rule, companies can comply with their regulatory obligations, enhance their cybersecurity posture, and build trust with their stakeholders.
Here’s a simplified example of how a Form 8-K might be filled out in response to a cybersecurity incident under the new Item 1.05
—
UNITED STATES SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
FORM 8-K
CURRENT REPORT
Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
Date of Report (Date of earliest event reported): July 28, 2023
XYZ Corporation
(Exact name of registrant as specified in its charter)
Item 1.05. Material Cybersecurity Incident.
On July 28, 2023, XYZ Corporation (the “Company”) identified a material cybersecurity incident that resulted in unauthorized access to the Company’s internal systems. The Company’s Incident Response Team detected unusual network activity and immediately initiated an investigation with the assistance of third-party cybersecurity experts.
The investigation is ongoing. But at this time, some customer data may have been accessed, including names and email addresses. There is no evidence at this time that any financial information or social security numbers were accessed.
The Company has taken immediate steps to contain the incident and is working closely with cybersecurity experts to secure its systems further. The Company has also notified law enforcement and will cooperate fully with any investigation.
The Company is in the process of notifying potentially affected customers and will offer them credit monitoring services free of charge.
The Company is still assessing the financial impact of the incident, but it could be material. The Company carries cybersecurity insurance and is in the process of making a claim.
The Company’s Board of Directors and executive management are actively overseeing the response to the incident and have engaged external legal counsel to advise on disclosure and other legal obligations.
The Company will provide further updates as more information becomes available and as warranted.
SIGNATURE
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.
XYZ CORPORATION
By: /s/ Jane Doe
Jane Doe
Chief Executive Officer
Date: July 29, 2023
Here’s a detailed example of how a cybersecurity incident might be represented in XBRL format (it’s also available as a gist on GitHub).
<us-gaap:DocumentType contextRef=”DisclosureDate”>8-K</us-gaap:DocumentType>
<us-gaap:DocumentPeriodEndDate contextRef=”DisclosureDate”>2023-07-28</us-gaap:DocumentPeriodEndDate>
<us-gaap:EntityRegistrantName contextRef=”DisclosureDate”>XYZ Corporation</us-gaap:EntityRegistrantName>
<us-gaap:EntityCentralIndexKey contextRef=”DisclosureDate”>0001234567</us-gaap:EntityCentralIndexKey>
<us-gaap:MaterialEvent contextRef=”DisclosureDate” id=”MaterialEvent1″>
<us-gaap:EventType contextRef=”DisclosureDate”>Cybersecurity Incident</us-gaap:EventType>
<us-gaap:EventDate contextRef=”DisclosureDate”>2023-07-28</us-gaap:EventDate>
<us-gaap:EventDescription contextRef=”DisclosureDate”>The Company identified a material cybersecurity incident that resulted in unauthorized access to the Company’s internal systems. The Company’s Incident Response Team detected unusual network activity and immediately initiated an investigation with the assistance of third-party cybersecurity experts. Some customer data may have been accessed, including names and email addresses. There is no evidence at this time that any financial information or social security numbers were accessed.</us-gaap:EventDescription>
<us-gaap:EventImpact contextRef=”DisclosureDate”>The Company is still assessing the financial impact of the incident, but it could be material. The Company carries cybersecurity insurance and is in the process of making a claim.</us-gaap:EventImpact>
<us-gaap:EventResponse contextRef=”DisclosureDate”>The Company has taken immediate steps to contain the incident and is working closely with cybersecurity experts to secure its systems further. The Company has also notified law enforcement and will cooperate fully with any investigation. The Company is in the process of notifying potentially affected customers and will offer them credit monitoring services free of charge.</us-gaap:EventResponse>
<us-gaap:EventBoardRole contextRef=”DisclosureDate”>The Company’s Board of Directors and executive management are actively overseeing the response to the incident and have engaged external legal counsel to advise on disclosure and other legal obligations.</us-gaap:EventBoardRole>
</us-gaap:MaterialEvent>
<us-gaap:Signature contextRef=”DisclosureDate”>
<us-gaap:SignatoryName contextRef=”DisclosureDate”>John Doe</us-gaap:SignatoryName>
<us-gaap:SignatoryTitle contextRef=”DisclosureDate”>Chief Executive Officer</us-gaap:SignatoryTitle>
<us-gaap:SignatoryDate contextRef=”DisclosureDate”>2023-07-29</us-gaap:SignatoryDate>
</us-gaap:Signature>
4909 Murphy Canyon Road Suite, 500
San Diego, CA 92123
Store
Company
Support
Newsletter
