The U.S. Securities and Exchange Commission (SEC) has released new rules that call for standardized reporting of cyber incidents, with the aim of providing better security to investors. This new transparency requirement involves disclosure of the company's cyber expertise and a four-day reporting deadline.
SEC's New Rules: A Spotlight on Cybersecurity
The SEC has issued new rules requiring public companies to disclose data breaches and establish cybersecurity risk policies. The rules aim to provide more transparency for investors on companies' cyber risks and preparedness. The Commission calls attention to “a substantial rise in the prevalence of cybersecurity incidents” but notes “current disclosure practices are varied”, which leads to risks to investors if the disclosure is late or incomplete.
Until recently, companies have been using different forms to communicate information about cyber incidents, with different levels of precision. Sometimes cyber incident disclosures are mixed with other disclosures, so it’s difficult to pick up on that specific data and act on it.
Understanding the Need for Transparency and Timely Reporting
The new rules mandate reporting material cyber incidents within 4 business days, and annual disclosure of the cyber expertise of management, further informing investors about cyber risks. The means of reporting include Form 8-K, which is commonly used to share information about significant events to shareholders, and Form 6-K, which similarly publicizes information to the same people, but is used by private foreign issuers.
Under the new rules, public companies must disclose any “material” cyber breach in Item 105 of a Form 8-K filing. According to the SEC, “information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the ‘total mix’ of information made available.”
For most organizations, this analysis “will include consideration of the financial impact of a cybersecurity incident”, so “information regarding the incident’s impact on the registrant’s financial condition and results of operations will likely have already been developed when Item 1.05 [which would hold the incident disclosure requirements on Form 8-K and Form 6-K] is triggered.”
The Role of Management and the Board in Navigating Cyber Risks
Companies must establish, maintain, and enforce written cybersecurity policies, reviewing them periodically. The disclosure window is similar to that found in the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and reflects the SEC's view that strong cyber risk management and disclosure are in the public interest in cases where cyber incidents have material risks to investors. CIRCIA requires that cyber incidents be reported to CISA within 72 hours, and that ransomware payments also be reported within 24 hours.
The SEC’s new rules also require disclosure of both management's and the board of directors' cyber expertise is meant to help investors gauge how well-prepared companies are to address cyber risks. However, some companies may lack directors or executives with strong cyber backgrounds, making this a difficult disclosure.
Impact and Implications: Balancing Compliance and Overreporting
Although the SEC delayed finalizing the rules until October 2023, these new rules are in conjunction with the Federal Government’s continued pivot towards a more robust cybersecurity posture. In the last year, the US has undertaken a near-complete overhaul of US cyber policy, with rules about quantum computing (Quantum Computing Cybersecurity Preparedness Act) and a plan to address the shortage of cyber talent (National Cyber Workforce and Education Strategy).
The final rules will be effective 30 days after they are published in the Federal Register. For most companies, this means that the rules will go into effect on December 15, 2023. Smaller companies will have an additional 180 days, until June 15, 2024, to comply with the rules. There is a similar staggered start for compliance, with most companies answering the incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K 180 days before the smaller companies.
The rules aim to provide better security to investors by spurring companies to strengthen their cyber defenses and risk management. By mandating disclosure, the rules could motivate companies to improve their cybersecurity to avoid potential reputation and financial damage from breaches.
Some critics argue the rules could lead companies to overreport minor incidents to avoid penalties, creating information overload. There are also concerns the rules may be too prescriptive or not flexible enough to adapt to evolving cyber threats. In a lot of discourse about the new rules, the 4 business day time frame to report an incident after assessing whether or not it is ‘material’ has been seen as too small. The SEC maintains that “the four business day timeframe from the date of a materiality determination will be workable.”
Put simply, the SEC's proposed cyber rules would require unprecedented transparency from companies on their cyber risks, incidents, and policies. While aiming to benefit investors, the rules could be challenging for some companies to comply with and may lead to unintended consequences like overreporting.
This post is part of DAR's "Federal Fridays" series. Be sure to follow DAR on LinkedIn for the latest updates!