Converting the SEC Cybersecurity Disclosure Rules into Actionable Steps
On July 26, 2023, the Securities and Exchange Commission (SEC) approved rules requiring public companies to disclose material cybersecurity incidents in Form 8-K within four days of the incident. Public companies will also be required to provide an annual update in 10-K filings with information about their cybersecurity risk management, strategy, and governance. The rules were adopted by a 3–2 vote and will take effect in December 2023.
In an SEC news release, SEC Chairman Gary Gensler noted that the intent of the rule is to bring greater transparency and consistency to the information available to investors by addressing material cyber risk. Businesses will need to translate cybersecurity risks into material business risks in financial terms, which may be challenging for many organizations. Additional background information is available in the SEC Fact Sheet.
Organizations that have not begun reviewing internal processes for cybersecurity incident disclosure and reporting as well as cybersecurity risk management and governance will need to perform an expedient and thorough review with a wide range of stakeholders.
To assist your company in conducting a review of its cybersecurity program, Weaver has developed an Incident Response Checklist for Executives. This questionnaire is designed to help leaders — especially those outside the IT department — assess their company’s readiness for a cyber incident. It includes a sharable “In Case of Emergency” quick reference page to list key contacts, the location of the Incident Response Plan and other information leaders will need to access quickly.
Key Points by Focus Area
Cybersecurity Incident
Disclosure requirements. Companies must disclose cybersecurity incidents that are deemed material within four business days of determining their significance. This disclosure will be made public in the 8-K forms filed with the SEC and made available to investors.
Material impact. The regulations apply only to incidents that have a “material” impact on a company’s operations, revenues, or stock price. Registrants determine materiality to their organization.
Required information. The company’s disclosure must include information about the nature, scope, and timing of the cybersecurity incident, as well as the “likely” material impact on the company’s financial condition and operations.
Reporting timeframe. Companies must notify the SEC and the public within four days of determining that a cybersecurity incident will have a “material” impact on their business operations. The reporting timeline starts when a company makes a determination of materiality, not at the initial discovery of the incident.
If the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety, the rules include provisions for extensions of the timeline for up to 60 days under certain circumstances.
Cyber Risk Management Strategy
Annual Report on Cybersecurity Risk Management. The new rules require publicly traded companies to provide an annual report on their cybersecurity risk management strategy.
Cybersecurity Risk Management. Companies are also required to disclose information about cybersecurity risk management, strategy, and governance in their annual filings. This includes information about how the board of directors oversees cybersecurity risks and identifies the responsible committee.
Cyber Governance
Board Oversight. Public companies must describe the board’s oversight of material risks from cybersecurity threats and its process for reviewing evaluations of the management team’s assessment and management of cybersecurity risk, as well as associated information.
Role of Management. Public companies must describe management’s role in assessing and managing material risks from cybersecurity threats.
Dedicated Positions. The company must describe dedicated positions or committees responsible for assessing and managing cyber risks. This includes any commentary on their specialization or relevant expertise.
Definitions
While many security frameworks and standards have similar terms the new rule has included clarifying definitions for these:
Cybersecurity incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems (or any information residing therein. [Note: this reasonably includes the broader technology landscape such as operational technology (OT) and industrial control systems (ICS)].
Cybersecurity threat means any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.
Information systems means electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.
Effective Dates
The final rules will become effective 30 days following publication of the adopting release in the Federal Register. For most organizations, the reporting requirements will begin mid-December 2023.
Next Steps
Executive leadership teams, technology leadership, internal audit, and boards will need to understand and review the company’s current state of capabilities and bring them into alignment with the rules in addition to making plans to bolster practices in response to the rules.
These are some questions for public companies and their boards to consider as they prepare for the new rules to take effect.
- Do we have a clear Incident Response Plan that is updated and understood by executive leadership as well as IT Leadership?
- How do we identify, assess and manage material cybersecurity risks?
- What is our process for determining materiality for a cybersecurity incident?
- Are we prepared to comply with the required timeline of reporting to the SEC within four business days of determining the significance of a cybersecurity event?
- Who internally will be involved in approving the release of the disclosure?
- Have we discussed and reviewed the process with our legal counsel, internal and/or external?
- In our Incident Response tests, do we practice disclosure considerations among necessary executive stakeholders?
- Do we have a process to track and manage incidents for aggregation and evaluation? If so, is it documented in a charter or program that we can use to support corporate communications?
- Is this process reflected in our existing cybersecurity controls? Is it communicated to our executive leadership and relevant boards and committees?
- How do we monitor and evaluate the impact of cyber risk as it relates to technology serviced by third party organizations? How does our board provide oversight for cybersecurity related risks and management’s mitigation strategy?
- How do we assess the knowledge and skills of those on the board and within management who are charged with cyber governance and leadership?
For information about the new SEC rules and how to prepare for compliance, contact us. We are here to help.
©2023