The SEC has proposed new rules that would require public companies to make both immediate and recurring disclosures regarding material cybersecurity incidents — as well as share information about how risk and cyber security governance is managed within their organizations The new requirements for disclosures would impact the quarterly and annual filings that publicly traded companies provide to their shareholders.
The regulation’s themes of transparency and accountability resemble the broader ESG movement we see emerging on a large scale. The fundamental question is: Are companies treating security and risk appropriately, and are they good corporate stewards of the data that they use or store on behalf of their customers? For forward-thinking teams looking to improve their cybersecurity programs in preparation for the new regulations, this article will take stock of the requirements included in the disclosure rule proposal, highlight key terms from the new rules, and outline an anticipated timeline for implementation.
SEC Cybersecurity Proposed Requirements: Faster, More Detailed, and More Frequent Disclosures for Increased Transparency
What are these new requirements? Based on the proposed rules, public companies are required to disclose material cybersecurity incidents and provide recurring status updates on the incident’s impact, ongoing investigations, and recovery actions. Companies are also required to disclose their policies, and procedures related to risk management, and information security governance, as well as the roles, responsibilities, and qualifications of the board when it comes to cybersecurity matters. In particular, the four-day public disclosures of material incidents could be a big challenge for some companies. They will require companies to assess incidents for materiality impact, and even consider whether multiple immaterial incidents represent a material impact to shareholders in the aggregate. This represents a new, highly coordinated process for most organizations that will require multiple teams to collaborate on incident report review and disclosure drafting.
The new rules call for descriptions of cybersecurity governance — specifically regarding policies and procedures and management’s role in that process — in an effort to make sure that companies’ risk and security functions are positioned with the necessary authority to adequetly assess and address risk and control issues. In addition, disclosures must be made regarding management’s role in risk assessments, risk ownership, planning, and of course, third-party risk management.
The final disclosure has to do with the board. A major risk that comes up frequently in my discussions with InfoSec leaders is the lack of proper cybersecurity qualifications on many boards. It’s a reason why CISOs might not have a lot of interaction or visibility with their boards, or the influence to drive risk-aware decision making — a board may just not be qualified to have those kinds of discussions. We believe this SEC rule is meant to illuminate this kind of gap to shareholders by requiring companies to disclose board qualifications regarding cybersecurity, as well as their interaction model. These requirements will provide a lot more transparency into an organization’s data security readiness, standards, and ongoing practices.
Breaking Down Key Terms and Their Implications from the SEC Cybersecurity Proposed Rules
Of all the items listed above, the proposed change that is creating the most concern and controversy is around “immediate incident disclosure” regarding a material cybersecurity incident. Under the new terms, any material cybersecurity incident that takes place must be disclosed in a Form 8-K filing within four business days. It may be a complex challenge for some organizations to rally all relevant teams for insights into the breach and approvals on next steps, and to complete cross-departmental sign off on the mandatory disclosure form in just four days.
This then begs the question: How does the SEC define a “cybersecurity incident?” The official SEC definition can be found in great detail on their site, but the key takeaway for the InfoSec community is that the definition is extremely broad and expands to include third-party applications. It’s more important than ever for management to understand the risk associated with third-party applications, including both accidental and intentional data exposure.
Another important term here is “material.” How do you define materiality? This is a bit subjective, but one method for determining materiality is to view it through a shareholder lens. If an item is something that shareholders wil reasonably think is important, then it should be considered “material.” In a mature organization, when an incident first happens InfoSec should be updated on day zero. As soon as that occurs, the priority is to determine materiality. That’s where teams loop in other folks in the organization to help determine if materiality has been reached. I would suggest internal audit, the CFO’s office, compliance, and enterprise risk or cyber risk functions if you have them as potential participants in that process — and you want to have clear decision-making criteria.
In addition, there is a requirement around “recurring incident reporting.” There may be incidents that in and of themsleves were probably not material — but if there’s an alarming frequency then that may meet materiality. You’ll need to go back and look on a quarterly and annual basis to determine if there is materiality, and do a disclosure if appropriate.
SEC Cybersecurity Rules Implementation Timeline: What to Expect
The good news on these changes is that the SEC is taking the time to do a thorough assessment and considered approach to making them, and part of their rigorous process includes taking input from businesses.
To begin, the SEC’s proposed rules were published in March of 2022. After that, there was a two month period where they actively solicited comments and feedback from businesses, and then ended in May 2022. If you are interested in reviewing those insights, the SEC has published all comments that came in on their website. During the feedback review process, additional meetings were conducted.
The phase that we are currently in is that the SEC is meeting with industry leaders and impacted organizations to fully understand and further refine their feedback. The future timeline depends on the additional feedback received and the number of iterations the rules go through.
There is not yet an announced date the rules will become effective, but we expect the SEC will share proposed conceptual releases and then ultimately finalize their decision with an effective date that allows for a fair amount of lead time to meet compliance. However, a lot of organizations are already thinking about how these rules are going to impact them — making these adjustments can be very time-consuming, particularly in a large organization.
These proposed requirements from the SEC are still under consideration and not yet mandated, but it’s never too early to start working with your organization and take specific steps to prepare your business to meet these standards.