Every company should feel urgency about maturing cybersecurity risk management. That’s the core message behind the heightened regulatory focus on cybersecurity — and with the U.S. Securities and Exchange Commission’s (SEC’s) final cybersecurity disclosure requirements for public companies taking effect in September 2023, it’s about to get real. The SEC cybersecurity rules will have a significant impact on your organization and role.
Cybercriminals keep finding new ways to monetize cyberattacks, prey on geopolitical instability, evade detection, exploit or re-weaponize vulnerabilities, and use AI to conduct attacks. Cyber attacks keep growing in sophistication, relentlessness, and destructiveness, and the resulting costs and adverse consequences can be monumental. Beyond business interruptions, lost revenues and assets, reputational damage, remediation costs, ransom payments, and liabilities to affected parties, national security and public safety are at stake. The risk is widespread and likely underreported. Citing a recent study showing that 98% of organizations use at least one third-party vendor that has experienced a breach in the past two years, the SEC has decreed that the time is now for enhancing and standardizing cybersecurity disclosures.
If you’re a leader at a private company, you may be thinking, “But this doesn’t apply to me.” You’re right. Officially, it doesn’t. But many private companies are third parties to public companies and thus potentially liable for any cyber incidents impacting public companies. Plus, investors and other stakeholders often hold private companies to the same standards as public companies, and the SEC’s final rule is a good example of what we can expect from other cybersecurity legislation on the horizon, much of which goes beyond public companies. Most importantly, to find a cybersecurity solution for everyone, we need to admit that cybersecurity is everyone’s problem — and good cybersecurity risk management, strategy, and governance principles are universally applicable.
“You may have less time than you think. Your organization should be working NOW to get the processes and technologies needed to support effective cybersecurity disclosures in place by December 31.”
We’ve designed this guide to help you navigate the SEC cybersecurity rules update, including:
- What to Know Now: Dates and Basic Action Plan
- Overview of the SEC Cybersecurity Disclosure Requirements
- How to Prepare for Compliance With the SEC Cybersecurity Rules
- The SEC Cybersecurity Rules Demand Integrated Risk Management
Whatever your business or industry, it’s time to get your head around the SEC’s cybersecurity disclosure rules and similar legislation expected in 2023. Disclosure will require both accuracy and speed: accuracy to determine the materiality of cybersecurity incidents, and speed to meet the 4-business-day requirement for disclosing material cybersecurity incidents. Plus, the SEC’s final rule marks a critical development in regulating cyber risk that underscores the importance of getting integrated risk management (IRM) processes in place — not just to comply with SEC cybersecurity rules, but to ensure you’re doing the right things to protect, defend, and enhance your business.
Read on below, or download a PDF version of the guide.
What to Know Now: Dates and Basic Action Plan
So, which rules apply to your business, when do they take effect, and what needs to happen to get your business on the path to compliance? The table below offers an overview, breaking the new rules down into key items, compliance dates, and recommended actions.
What to Do Now
Now that you’re clear on applicability, dates, and recommended actions, make sure you’re clear on what they mean for your organization in the short term. In particular:
- Annual report considerations — Organizations will need to issue disclosures in 2024. For calendar fiscal year issuers, disclosures will include the cybersecurity risk management and governance they have in place on December 31, 2023 — including the processes and methodologies used to determine materiality.
- Continuous monitoring considerations — Organizations need to begin monitoring for cyber incidents and materiality on December 18, 2023, so they’re ready to comply with immediate reporting requirements for material cybersecurity incidents.
In other words, you may have less time than you think. Your organization should be working NOW to get the processes and technologies needed to support effective cybersecurity disclosures in place by December 31. For most organizations, that includes assessing gaps, establishing and integrating disclosure processes, developing capabilities, and updating risk quantification and incident management processes (including setting thresholds and building workflows to assess materiality), engaging the board, and more.
Overview of the SEC Cybersecurity Disclosure Requirements
The overview table and detailed breakdowns below simplify the how, when, and what of the final rules. By adopting these final rules, the SEC aims to provide greater transparency into how companies are managing their cybersecurity risk; accordingly, mandatory disclosures will be made via Form 8-K, 8-K/A, and 10-K filings (20-F, 6-K, and 6-K/A filings for foreign private issuers), meaning that all information becomes public record. There are no requirements for the SEC to keep any information non-public. That means investors and other stakeholders can use it in their decision-making — and regulators and attorneys can use it for their purposes.
The SEC Cybersecurity Rules Update At a Glance
The SEC received more than 150 comment letters in response to its proposing release. The final rule details many of the comment letters’ concerns and recommendations, explaining whether (and how) final rules were modified in response. While this is helpful in understanding the SEC’s process and reasoning, the resulting 186-page PDF release of the final rule doesn’t exactly make for light reading.
With that in mind, I’ve gone through the complete release with a fine-toothed comb to create a summary table that tells you everything you really need to know. For the sake of simplicity, our summary focuses on the requirements for US companies. Following the overview table, you’ll also find a more detailed discussion of each disclosure requirement highlighting key considerations and differences between the draft and final regulations. All page numbers refer to the SEC’s final rule PDF (which has been conformed to the Federal Register version).
Note that the SEC has divided the requirements into two reporting categories: “current,” which includes material incident disclosures made in 8-K filings, and “periodic,” which includes required disclosures on cybersecurity risk management, strategy, and governance provided via 10-K filings.
Disclosure Requirements for Material Cybersecurity Incidents
Keeping it simple, the SEC’s current reporting requirements (Form 8-K Item 1.05) are about being able to:
- Identify material cybersecurity incidents.
- Quantify their impact.
There will be a lot to pull together in a very short time frame, from the material incident determination to 8-K filing. For most organizations, this will require much more timely investigation and quantification around cybersecurity risk than is being done today.
The final rule includes several noteworthy changes from the original proposal, including:
- No specific materiality definition. The SEC declined to adopt a cybersecurity-specific materiality definition, stipulating, “we expect that registrants will apply materiality considerations as would be applied regarding any other risk or event that a registrant faces.” (See p. 80.)
- Limited delays permitted:
- In verified matters of national security or public safety. Companies may delay disclosure if the U.S. Attorney General (AG) “determines immediate disclosure would pose a substantial risk to national security or public safety.” In these circumstances, written notification from the AG to the SEC is required. (See pp. 34-35.)
- For entities subject to the Federal Communications Commission’s (FCC’s) customer proprietary network information (CPNI) rule. The SEC permitted this exception given concerns about a potential conflict with existing FCC rules. (See pp. 41-42.)
- No required disclosures regarding remediation status. The final rule did not adopt the proposal to require disclosure regarding the incident’s remediation status, whether it is ongoing, and whether data were compromised. The SEC considers that registrants will determine as part of materiality analyses whether such disclosures are necessitated. (See p. 30.)
- No required disclosure of immaterial cybersecurity incidents in aggregate. The proposal to require disclosure when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate was not adopted. (See pp. 52 and 140.)
- No aggregation requirement for related incidents. The proposed aggregation requirement to capture the material impacts of related incidents was not adopted. (See p. 52.) That said, the SEC’s adopted definition of “cybersecurity incident” does extend to “a series of related unauthorized occurrences.”
- Rejection of periodic reporting only. The suggestion to replace Item 1.05 with periodic reporting of material cybersecurity incidents on Forms 10-Q and 10-K was not adopted, since such an approach may result in significant variance as to when investors learn of material cybersecurity incidents. (See p. 36.) Instead, updates to prior incidents reported via 8-K filings will be made in an 8-K amendment rather than in a 10-Q or 10-K. In other words, all cybersecurity incident information will be disclosed in current rather than periodic reports.
Disclosure Requirements for Cybersecurity Risk Management and Strategy
The cybersecurity risk management and strategy disclosure requirements (Regulation S-K Item 106(b)) aim to provide a consistent, comparable view of cybersecurity risk management programs that offers insight into program capabilities, strategy, and effectiveness. To this end, companies will be required to affirm whether they have a cybersecurity risk assessment program, how it works, how it fits into overall risk management, and whether it uses third parties. Notably, this will include disclosing a description of “whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.”
The final rule includes a few noteworthy changes from the original proposal, including:
- Streamlining of required disclosure elements. Commenters expressed concerns that disclosing specific policies, procedures, and technologies could undermine cybersecurity and increase vulnerability to cyberattacks. Others worried that elements were overly prescriptive, such that companies would feel pressured to model policies on the final rule’s disclosure elements rather than what was best-suited to each company’s unique circumstances. In response to these concerns and others, the SEC eliminated several elements to support “disclosure of information material to the investment decision of investors… while steering clear of security sensitive details,” including:
- Substituting the word “process” for “policies and procedures,” to avoid disclosing details (or the lack thereof) that could be weaponized. (See p. 60.)
- Removing proposed disclosures of “prevention and detection activities,” “continuity and recovery plans,” and “previous incidents” and requiring only high-level disclosures regarding third party-service providers. (See p. 62.)
- Clarifying that elements listed are non-exclusive, such that registrants should also “disclose whatever information is necessary, based on their facts and circumstances, for a reasonable investor to understand their cybersecurity processes.” (See p. 63.)
Disclosure Requirements for Cybersecurity Governance
Finally, the cybersecurity governance disclosure requirements (Regulation S-K Item 106(c)) ask companies to account for how material cybersecurity risks are overseen at the board level, assessed and managed at the management level, and communicated to the board. This approach encourages a fresh look at how cybersecurity risk management connects with strategy and integrates with overall risk management.
The final rule includes a couple of noteworthy changes from the original proposal to require “less granular” disclosures, including:
- No required disclosure regarding the board’s cybersecurity expertise. The proposed requirement to disclose the cybersecurity expertise of a registrant’s board members was not adopted. (See p. 140.)
- Limiting required disclosures to those the SEC believes “balances investors’ needs to understand a registrant’s governance of risks from cybersecurity threats in sufficient detail to inform an investment or voting decision with concerns that the proposal could inadvertently pressure registrants to adopt specific or inflexible cybersecurity-risk governance practices or organizational structures.” (See pp. 70-71.)
In my view, it’s important to appreciate that, if the SEC had mandated the disclosure of board cybersecurity expertise, it may have offered investors a deceptive comfort. Board members’ fundamental role is to oversee risk, not directly handle it. Their expertise should be reflected in their ability to guide, not operate. That said, even without a concrete mandate to disclose cybersecurity proficiency within the board, the need for it remains implicit in the final rules.
How to Prepare for Compliance With the SEC Cybersecurity Rules
The best way to organize your to-do list is to start at the end and work backwards: Make sure you understand the final rules, and let that guide your analysis of what needs to be done. Look beyond disclosure preparation to ensure you have the needed infrastructure in place. Use the recommended action plan provided above to get started.
Again, to ensure the speed and accuracy needed for identifying incidents, assessing materiality, and preparing disclosures within the 4-business-day requirement, an IRM approach will be critical. IRM and IRM technologies can help you connect and streamline processes, controls, and teams to enable effective cross-functional collaboration and risk and impact quantification. The graphic below illustrates the interplay between the new rules and the bigger picture of IRM and IRM technologies, including the four universal IRM objectives of better performance, stronger resilience, greater assurance, and more cost-effective compliance.
Most companies have work to do in connecting technology and teams. AuditBoard’s 2023 Digital Risk Report found that only 30% of organizations currently use cloud-based risk management software to manage digital risk. Another 18% use on-premises risk management software, 44% still rely on manual technologies (e.g., spreadsheets, email, shared drives, and SharePoint), and 8% do not manage digital risk at all.
The SEC Cybersecurity Rules Demand Integrated Risk Management
With their final rules, the SEC has elevated IT risk and cybersecurity as true business risks. This is an important step in helping organizations to understand and manage their entire spectrum of strategic, operational, financial, and digital risks, helping them to make more informed, timely, and strategic decisions. But companies face significant challenges in maturing risk management and determining materiality. According to the SEC’s 1999 Staff Accounting Bulletin No. 99 and a March 2022 statement from Acting Chief Accountant Paul Munter, determining materiality is both qualitative and quantitative. It cannot be calculated using a formulaic method. As I told InformationWeek, “Determining materiality for cybersecurity will, in my opinion, require an integrated view of risk — tying cybersecurity to critical areas of the business operations. Without this view, the impact on a reasonable investor cannot be determined.”
An IRM approach is crucial for linking cybersecurity, operational, and enterprise risk to determine materiality. Audit, risk, compliance, and ITRM professionals will be forced to work together to come up with solutions, engendering a clearer understanding of cybersecurity’s impact on the business — and better alignment of technologies, processes, and business outcomes.
Every organization should recognize that the SEC cybersecurity rules are part of a larger trend toward integrated reporting and risk management. Just like standalone financial reports don’t give the full picture of how a business is doing, disconnected technologies aren’t effective in meeting today’s risk management challenges. Integrated technology solutions bring together different data and perspectives into a common risk framework — creating an integrated view of risk that connects people, increases understanding, enables prioritization, and supports performance, resilience, assurance, and compliance. If your organization is still dragging its feet on integrating risk management, 2023 is the time to get moving.