The U.S. Securities and Exchange Commission in July 2023 released final cybersecurity rules requiring public companies to disclose details on material incidents as well as information on cybersecurity risk management, strategy and governance.
The SEC's move to extend its cybersecurity requirements signifies a pivotal evolution in the regulatory landscape. It demands proactive measures, strategic planning, a holistic approach to safeguarding data and operations, and a shift from an approach emphasizing regulatory environments versus the broader enterprise. The SEC cybersecurity rules require a closer focus on three areas: oversight of cyber risks, cyber risk management, and disclosure of material incidents and risks.
While many larger public organizations likely already have processes and resources in place to meet these requirements, emerging and middle market public companies may need to make structural and cultural changes to enhance or adopt cybersecurity oversight, management and reporting processes to comply with the final rules.
The rules require the disclosure of cybersecurity incidents on Form 8-K (Form 6-K for foreign private issuers) within four business days if deemed material. Registrants must describe the material aspects of the incident's nature, scope and timing, as well as its material impact or reasonably likely material impact on the registrant in the newly introduced Item 1.05 of Form 8-K. Delayed filing is allowed if the U.S. attorney general determines that immediate disclosure would pose a substantial risk to national security or public safety.
In addition to completing Form 8-K, registrants must file Form 10-K to describe their cybersecurity risk management and strategy, management’s role in assessing and managing material risks from cybersecurity threats, and their board of directors’ oversight of cybersecurity risks.
The SEC rules define three key terms as follows:
- Cybersecurity incident: An unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.
- Cybersecurity threat: Any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.
- Information systems: Electronic information resources owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of the registrant’s information to maintain or support the registrant’s operations.
To properly assess the aggregation of related immaterial incidents, registrants must continually refine their incident response management process. This includes maintaining a robust incident logging process to record incident details. Ongoing evaluation of materiality arising from the aggregation of these incidents is imperative to enable informed disclosure decisions.
In light of the SEC's broadened cybersecurity requirements, organizations must adopt a proactive stance to achieve compliance and enhance their overall security posture. Consider the following crucial steps to guide you on this journey:
- Conduct comprehensive asset inventory and management.
- Implement a unified control framework.
- Balance compliance and protection.
- Implement continuous control assessment and monitoring.
In addition to the SEC issuing new rules, the U.S. Federal Trade Commission amended its Standards for Safeguarding Customer Information to require all nonbanking financial institutions to report a data breach incident within 30 days after discovery if it involves the information of at least 500 consumers. That Safeguards Rule update will go into effect in May 2024.