Beginning December 18, nearly all publicly traded companies will need to be in compliance with the SEC’s new cyber incident disclosure rules. Although the SEC has offered guidance before (in 2011 and 2018), this is the first time the agency has formally issued new disclosure rules.
According to the new rules, which the Commission passed in July, publicly traded companies now have four days to disclose material cybersecurity incidences. From the time a company determines that an incident is material, the clock starts ticking. A disclosure must appear on an 8-K within four business days.
Public companies also have to disclose—annually, on 10-Ks—new information related to cyber risk management, strategy, and governance.
The new rules are coming soon
For most companies, the 8-K disclosures begin December 18. As a caveat, some smaller companies have an additional six months (June 24, 2024) before they’re subject to the mandated 8-K disclosures. Also, if the cybersecurity incident poses a risk to public safety or national security, the U.S. Attorney General can allow a disclosure to be delayed.
What is a material cybersecurity incident?
The SEC defines a material cybersecurity incident as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
This language is rather interesting. By definition, an incident could be material if it involves a “series of related unauthorized occurrences.”
Now, events can be considered related if they involve the same bad actor, or if there is an exploitation of the same vulnerability. Even if, by themselves, these individual, unauthorized occurrences are immaterial, the company still might have to file an 8-K if it concludes that the occurrences are related.
In the event of a material cyber incident, what needs to be in the 8-K?
According to the language in the SEC’s paperwork, the 8-K must describe the “the nature, scope, and timing of the incident.”
Additionally, the material impact must be addressed; this could entail financial damage, operational impact, or some harm to business strategy.
And what is meant by “material” in the first place? According to the SEC, “The rule’s inclusion of ‘financial condition and results of operations’ is not exclusive; companies should consider qualitative factors when assessing the material impact of an incident.” Again, this likely includes things like brand harm, reputational damage, or regulatory repercussions.
There is no need to disclose an incident response plan. Also, there’s no requirement to disclose whether data were compromised, or if the incident is ongoing.
Businesses are not required to release any “specific or technical information about their planned response.” This makes sense, as the bad actors would likely gain intelligence if companies were to do so.
On page 30 of the paperwork, the SEC explains their rule:
“While some incidents may still necessitate, for example, discussion of data theft, asset loss, intellectual property loss, reputational damage, or business value loss, registrants will make those determinations as part of their materiality analyses. Further, […] a registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”
New annual disclosures
Registrants under the Securities Exchange Act of 1934—all publicly traded companies and foreign private issuers—also have to disclose new line items on their annual reports addressing risk management, strategy, and governance.
Essentially, these companies need to explain how they identify, assess, and handle cybersecurity threats.
New risk management and strategy disclosure requirements (required on 10-Ks)
On page 63 of the paperwork, the SEC dives into their new risk management and strategy disclosure requirements. In their annual reports, companies’ must now include the following:
1. “Whether and how their described cybersecurity processes […] have been integrated into the registrant’s overall risk management system or processes.
2. “Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes.
3. “Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.”
The third point—and the SEC’s inclusion of third-party service providers more broadly—is interesting. To me, it highlights the fact that companies can be liable for cybersecurity incidents that occur within their supply chain.
New governance mandate (required on 10-Ks)
On page 68, the SEC explains that companies’ annual reports now need to include:
1. “The identity of any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats.”
2. “The processes by which the board or such committee is informed about such risks.”
CISOs should take steps to account for these new rules
Although the SEC’s new cyber incident disclosure rules only apply to publicly traded companies, all companies—public and private alike—would be wise to bring the SEC’s new language, and definitions, into their corporate governance documents.
Also, CISOs should figure out what their company’s threshold is for an incident being “material.” Taking into account both the qualitative and quantitative effects of the cybersecurity incident, CISOs should be able to assess whether or not the impact on business operations qualifies as “material.” Moreover, CISOs should formally write down the processes for communicating, escalating, and reporting material cyber incidents.
It’s worth pointing out that companies hit with material cyber incidents have always had to eventually disclose the incident. However, until now, companies could bury their incidents deep within their annual reports.
Those days are long gone, as the SEC now demands an 8-K within four days. One thing is clear in December 2023: the SEC is taking cyber incident reporting seriously, and we’d be foolish not to follow their lead.