Article

Understanding and addressing new SEC cybersecurity rules

New guidelines mean changes for reporting, oversight and disclosures

August 10, 2023
#
Technology risk consulting
Risk consulting Business risk consulting Cybersecurity consulting SEC matters

The Securities and Exchange Commission (SEC) on July 26 released final cybersecurity rules requiring public companies to disclose details on material incidents as well as cybersecurity risk management, strategy, and governance information. While many larger public organizations likely already have processes and resources in place to meet these requirements, emerging and middle market public companies may need to make structural and cultural changes to enhance or adopt cybersecurity oversight, management, and reporting processes to comply with the final rules.

The new rules come in response to an unrelenting cybersecurity environment, with more complex and challenging threats on the horizon. For example, 20% of respondents in the 2023 RSM US Middle Market Business Index Cybersecurity Special Report claimed their company experienced a data breach in the last year, and our team has seen breach activity escalating in recent months. In addition, 68% of survey respondents anticipate unauthorized users will attempt to access data or systems this year.

With attack methods continuing to evolve amid the increasing use of emerging technologies, including artificial intelligence, investors need to understand how threats and incidents can influence a company’s value. And this can be promoted through more consistent and clear reporting.

63% of executives feel they are at risk for a ransomware attack in 2023
You don’t want to get in the habit of reporting material incidents. You need to implement preventative controls and identify incidents early. That could enable you to manage an incident more appropriately and mean the difference in materiality.
Matt Franko, Principal, RSM US LLP

Key considerations

The new SEC cybersecurity rules require a closer focus on three areas: oversight of cyber risks, cyber risk management, and disclosure of material incidents and risks. Larger public companies with established cybersecurity processes and resources can likely adjust existing roles and reporting to account for the new standards, but their smaller counterparts may need to adjust infrastructure and leverage alternative resource models such as managed services to meet compliance standards.

Oversight of cyber risks 

The new rules seek to bridge the gap between corporate boards and cybersecurity leadership. SEC registrants (Form 10-K) and foreign private issuers (Form 20-F) must describe the board’s oversight of cybersecurity risks and management’s role in assessing and managing material threats.

Ultimately, boards must increase their oversight of cybersecurity risks and develop a governance culture that increases visibility into threats. The governance structure should provide defined roles that include security ownership and prescribe processes to inform the board and committees about emerging risks. IT controls should also be measured, monitored, and reported to further understand evolving risks.

Cyber risk management 

Organizations must articulate their processes for assessing, identifying, and managing material risks from cybersecurity threats as a part of their annual 10-K reporting. The material effects of those risks on the company’s business strategy, operations, or financial condition must also be disclosed.

The SEC amended the final cybersecurity rules to remove a proposed list of risk types, hoping to avoid the perception that the rules prescribe cybersecurity policy. However, the agency sought to provide guidance by referencing risks such as intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws, and reputational risk. Disclosures in Forms 10-K and 20-F are required beginning with annual reports for fiscal years ending on or after Dec. 15, 2023.

Periodic company-wide cybersecurity assessments are an essential part of the risk management process and are critical in addressing and documenting potential risks. Assessments help identify issues early to enable an organization to put controls in place before risks become material.

Disclosing material incidents 

Organizations must disclose incidents that have a material or reasonably likely material impact using Form 8-K within four days after the company determines the incident is material. This requirement is effective beginning 90 days after publication in the Federal Register, or Dec. 18, 2023, but smaller companies will have an additional 180 days.

Determining materiality can be a challenge, as there is no specific guidance about what a quantifiable trigger is.

The impact on the company should be considered against quantitative and qualitative factors, including how a reasonable investor would view the incident.

Harm to a company’s reputation, customer or vendor relationships or competitiveness may be examples of material impact on the company, according to the final rules. The possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities, may also constitute a reasonably likely material impact on the registrant.

The final rules describe information as material “if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision.” This is consistent with the standard set out in cases addressing materiality in securities laws.

Meeting the demands of these rules requires an effective incident response program and cybersecurity risk management capabilities. The program should include plans to respond to and determine the materiality of specific incidents and provide details for how to respond to specific scenarios such as ransomware. Detailed threat simulations, or tabletop exercises, can provide practice with the plan and familiarize individuals with their defined roles within the program. A security monitoring strategy can also leverage technology to consolidate alerts across the organization. 

In addition, a managed security operations center can identify and escalate incidents to your security and SEC reporting teams in a timely manner.

The key to compliance

Compliance with the final SEC cybersecurity rules will require a differing level of effort, depending on the extent to which a company has developed its cybersecurity and risk management processes. While the challenge may seem daunting to companies without comprehensive cybersecurity capabilities and incident response programs in place, compliance is achievable.

Ultimately, creating a holistic and sustainable cybersecurity risk management program that involves clear, consistent reporting, as well as increased oversight and involvement from the board, can help your company stay in compliance with SEC guidelines and protect it against material risks that could threaten the company.

RSM contributors

Related insights

RSM US MMBI

Cybersecurity 2024 special report

Our annual insights into cybersecurity trends, strategies and concerns shaping the marketplace for midsize businesses in an increasingly complex risk environment.