New cybersecurity laws and rules continue to emerge in an ever-tightening regulatory landscape. In July 2023, the U.S. Securities & Exchange Commission (SEC) adopted new rules about disclosing cybersecurity incidents and cyber risk management at publicly traded companies. Here’s what you should know about the new SEC cybersecurity disclosure rules.
The new rules state that publicly traded companies must make the following disclosures:
Form 8-K provides investors with information beyond the regular periodic financial statements and disclosures companies must file. This report typically announces major company events that shareholders should know about.
Form 10-K is an annual report publicly traded companies file that comprehensively summarizes financial performance. This includes detailed information for shareholders and potential investors that can be useful for making informed decisions about purchasing or selling shares.
According to SEC Chair Gary Gensler, the new rule aims for public companies to provide cybersecurity disclosure to investors in a more “consistent, comparable and decision-useful way.” The only exemption to the rule is an allowance for a delay in the four-day disclosure period when the Attorney General deems such a delay is essential to protecting national security or public safety.
One challenging aspect of the rule is determining the materiality of a cybersecurity incident. The ambiguity in the guidance given on determining which cybersecurity incidents meet the material criterion seems to contradict Gary Gensler’s comments about the new rule driving more consistent disclosures. Broad and open-ended guidance will likely lead to inconsistent disclosures by different companies.
To determine whether a cybersecurity incident is material for disclosure purposes, the incident must have a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available. This is the same standard that applies generally under the federal securities laws about the materiality of events that trigger a form 8-K filing.
Assessing materiality should involve both quantitative and qualitative factors. These quantitative impacts are those that alter financial statement elements, such as revenues and expenses. The qualitative impacts to consider include reputation damage, customer or vendor relationships, data theft, asset loss, intellectual property loss and competitiveness.
One of the best things to do in response to this challenge is to designate one or more people at your company to make the materiality determination. A process that ensures sufficient information flows to the people tasked with materiality assessments in a timely manner is also essential.
Note that in the actual disclosure, specific or technical information about the planned response to the incident or details about the cybersecurity systems, related networks and devices, or potential system vulnerabilities are not required to be disclosed. Instead, the focus should be on the nature, scope and timing of the incident and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.
Lastly, keep records and logs containing the details that led to disclosing material incidents or deeming other incidents as non-material. These internal records give a position from which you can defend assessments based on a subjective materiality standard.
There’s quite a lot to understand and report on for the annual cyber risk management disclosures. In describing how your company assesses, identifies and manages material risks from cybersecurity threats, disclose whether you engage assessors, consultants, auditors or other third parties in connection with risk management.
A part of this annual disclosure is the need to describe the board’s oversight of cybersecurity risks. The rule also requires disclosures about management’s role in assessing and managing material risks from cybersecurity threats, focusing on disclosing the relevant expertise for assessing and managing cyber risks.
When using third-party service providers, you must disclose any processes for overseeing and identifying material risks that may arise from cybersecurity threats to these third parties.
A robust incident response plan lies at the heart of meeting the new SEC cybersecurity disclosure requirements. Being able to respond to and manage cyber incidents efficiently and cohesively helps to drive compliance. Coordinated internal and external communications about incidents are imperative in ensuring consistent messaging and proper disclosure.