The U.S. Securities and Exchange Commission (SEC) has a long history of providing guidance on cybersecurity risk management, strategy, governance, and incident disclosure for public companies. Over the years, the SEC has emphasized disclosing material cybersecurity risks and incidents to investors. The latest final rules, which the SEC approved on July 26, 2023, represent a significant enhancement in the SEC’s cybersecurity disclosure requirements. This article comprehensively analyzes the new rules, including detailed examples, insights from our perspective, and actionable advice for boards, executives, and incident response teams.
A Brief History of SEC Guidance on Cybersecurity
The SEC’s focus on cybersecurity began in earnest in October 2011 when the Division of Corporation Finance issued guidance on cybersecurity disclosures. This guidance clarified that although no existing disclosure requirement explicitly referred to cybersecurity risks and cyber incidents, several requirements may nonetheless impose an obligation on registrants to disclose such material risks and incidents.
In 2018, the SEC issued interpretive guidance to reinforce and expand upon the October 2011 Guidance by identifying existing provisions in Regulations S-K and S-X that may require disclosing cybersecurity risks, governance, and incidents. Notably, the guidance did not create any new obligations. However, from my perspective, this guidance emphasized the importance of maintaining comprehensive policies and procedures related to cybersecurity risks to ensure a public company’s ability to comply with Regulations S-K and S-X fully.
The 2023 final rule represents a significant step forward in the SEC’s approach to cybersecurity disclosure and aims to enhance and standardize disclosure made by public companies. It provides more detailed requirements for disclosing cybersecurity risks and incidents and emphasizes the disclosure of the board’s role (whether a lot or a little) in overseeing cybersecurity risk management.
The New Final Rule: A Simplified Breakdown
The new final rule requires public companies to disclose any material cybersecurity incidents within four business days of that determination (subject to certain exceptions described below). This requirement is now added as a new Item 1.05 on Form 8-K.
In addition, the new final rule includes a specific requirement for public companies to describe their cybersecurity risk management, including the board’s role in overseeing these processes in their Annual Report on Form 10-K.
For example, suppose a public company suffers a material data breach. In that case, it must disclose the nature and likely consequences of the breach. Under the new final rules, on the newly established Item 1.05 on Form 8-K, the company must describe the material aspects of the data breach including:
- Nature, scope, and timing; and
- Impact or reasonably likely impact on the registrant, including its financial condition and results of operations.
This example company must also disclose on its Annual Report (10-K) whether such data breach has materially affected or is reasonably likely to materially affect its business strategy (including any material changes in its governance, policies, procedures, or technologies).
Separately, the final rule also requires companies to disclose if they have a cybersecurity risk assessment program and to describe it. This includes describing how companies assess, identify, and manage material risks from cybersecurity threats. Companies must disclose whether they engage assessors, consultants, auditors, or other third parties in connection with their cybersecurity risk assessment program.
Finally, the final rules also notably emphasize disclosures relating to the board’s role in overseeing cybersecurity risks and management’s role in assessing and managing material risks from cybersecurity threats. Specifically, the final rule introduces a new Item 106 of Regulation S-K that requires registrants, among other things, to describe the board’s oversight of risks from cybersecurity threats, including any specific board committee or subcommittee tasked with oversight of cybersecurity risks. As such, the board should have processes to be informed about cybersecurity risks and incidents. This includes regular updates from management or the company’s cybersecurity team.
Four-Day Disclosure Requirement
As noted above, the final rules add a new Item 1.05 on Form 8-K, which requires public companies to disclose any material cybersecurity incident within four business days of determining that such incident was indeed material.
This four-business-day requirement will be a game-changer for many public companies. Organizations must have a robust breach response process, including regular tabletop exercises that simulate how they would gather data about an incident and ultimately determine its materiality. This is not trivial, given that comprehending the root cause analysis (RCA) and assessing the damage from many attacks can take significantly longer. Boards and management (along with legal counsel) will need a thorough set of facts to determine materiality confidently.
This requirement also underscores the need for a well-crafted communications plan. In the wake of a cybersecurity incident, public companies must manage press inquiries and social media chatter that could alarm investors, shareholders, and consumers. A well-executed communications plan can help control the narrative, providing reassurance while complying with the disclosure requirements. This plan should also consider internal communication workflows between stakeholders such as the cybersecurity team, legal teams, and the board (or the relevant committee).
It’s also important to note that the SEC has introduced certain narrow exceptions to the Four-Day Disclosure Requirement. The only generally applicable exception permitting a delay in reporting applies only if the US Attorney General notifies the SEC in writing that disclosure poses a substantial risk to national security or public safety concerns. Outside of extraordinary circumstances or an exemptive order issued by the SEC, the maximum delay permitted under this exception will be 60 days.
Notable Public Influence
As part of developing the final rule, the SEC received numerous public comments about various proposed amendments. Here are the amendments which were notably influenced by the public.
- Material Future Impacts: Some commenters found the proposed requirement to disclose “any potential material future impacts” vague and difficult to apply. They urged for it to be removed or revised. The final rule considered these comments, aiming to provide more precise guidance by removing this requirement and instead guiding companies to file amendments to their 8-K when previously unknown or otherwise unavailable information becomes known.
- Progress on Remediation: Commenters expressed concerns about the requirement to disclose progress on remediation, noting that such information could expose them to more attacks. Some suggested that no updates should be required until remediation is sufficiently complete. These comments were considered in the final rule, leading to modifications in the disclosure requirements, which remove the disclosure requirement on remediation status and clarifies that specific technical information about the planned response isn’t required in the disclosure.
- Changes in Policies and Procedures: Some commenters felt that the requirement to disclose changes in policies and procedures was unnecessary and overly broad. One commenter suggested narrowing the requirement to “material changes.” The final rule considered these comments, resulting in a more streamlined approach to disclosure requirements.
- Differentiating Updates: Commenters sought clarification on determining instances where updates should be included in periodic reports from cases in which updates should be filed on Form 8-K—the final rule aimed to provide more explicit guidance in response to these comments. The SEC opines that updates to the 8-K would be timelier and more beneficial versus waiting on periodic reports.
- Smaller Reporting Companies: The SEC considered comments relating to the ability of smaller reporting companies to comply with the new rules, and some commenters had asked for an exemption for smaller reporting companies from this rule. In the Final Rule, the SEC ultimately declined to exempt smaller companies from the new rules. Still, they have provided more time for smaller companies to comply with Item 1.05 of Form 8-K.
- Structured Data Requirements: The final rule also considered comments related to structured data requirements. While the details of these comments are not specified in the extracted text, it’s clear that the SEC considered these comments when formulating the final rule.
These examples demonstrate how the SEC considered the feedback from public commenters when formulating the final rule, leading to modifications in several areas to address the comments’ concerns.
Determining the materiality of a cybersecurity incident is a critical step in incident response. The SEC clarified in the Adopting Release that the determination of materiality is to be made following the prevailing and familiar definition of materiality: information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or it would have “significantly altered the “total mix” of information made available.”
In the Adopting Release, the SEC indicated that companies should consider qualitative factors in assessing the material impact of an incident. It indicated that harm to a company’s reputation, customer or vendor relationships, or competitiveness, and the possibility of litigation or regulatory investigations or actions, were all potential material impacts on a company.
The SEC also further notes that in the Final Rule, Form 8-K Item 1.05 does not specify whether the board, a board committee, or one or more officers should determine materiality. Therefore, the company may establish a policy tasking one or more persons to determine materiality. Companies should seek to provide those tasked with the materiality determination information sufficient to make disclosure decisions.
Companies should also look at the potential impact of the incident on the company’s operations, financial performance, and reputation. This includes direct impacts, such as the cost of responding to and recovering from the incident, and indirect impacts, such as damage to the company’s reputation and potential legal and regulatory consequences.
Given that the SEC gives companies discretion to determine materiality so long as it conforms to established case law and legislation, public companies must seek legal advice to determine whether it arises to the materiality level requiring an Item 1.05 disclosure on Form 8-K.
From the vantage point of my experience, determining materiality should involve several critical roles within the organization. The incident response team should identify and assess the incident, including determining its scope and potential impact. The Chief Information Security Officer (CISO) should oversee this process and communicate the details of the incident to the executive team and the board. The Chief Legal Officer (CLO) should advise on the legal implications of the incident, including whether the incident needs to be publicly disclosed in light of the new final rules.
The executive team and the board (or committee) should determine materiality based on the information provided by the incident response team, the CISO, and CLO. They should consider the potential impact of the incident on the company’s strategic plans, financial performance, and reputation.
Criticisms and Suggestions for Improvement
While the new final rule represents a significant step forward in the SEC’s cybersecurity disclosure approach, it has shortcomings. One potential criticism is that the rule may not go far enough in requiring companies to disclose specific details about their cybersecurity risk management practices. For example, the rule requires companies to disclose whether they have a cybersecurity risk assessment program. Still, it does not require them to disclose specific details about the program, such as the methodologies used or the frequency of assessments.
Another potential criticism is that the rule may need to provide more guidance on determining the materiality of a cybersecurity incident. While the Final Rule does provide general guidelines regarding materiality (as briefly summarized above), critics note that the guidance is very open-ended, and more guidance would be helpful to avoid potential inconsistent disclosures across companies, making it difficult for investors to compare companies’ cybersecurity risks and incidents.
To address these shortcomings, the SEC could provide more detailed examples of what companies should include in their disclosures about their cybersecurity risk management practices. The SEC could also consider providing more specific criteria (and examples) for determining materiality regarding a cybersecurity incident.
Nuances and Their Interpretation
The new final rule contains several nuances that companies should be aware of. One such nuance is the emphasis on the disclosure of the board’s role in overseeing cybersecurity risk management. This represents a shift from previous guidance focused primarily on the company’s management. Under the new rule, the board is expected to take an active role in understanding the company’s cybersecurity risks and the measures in place to manage those risks. For many public companies, this is already the case. This includes receiving regular updates on the company’s cybersecurity risks and incidents and understanding how these risks are integrated into the company’s business strategy and financial planning.
Another is the requirement to disclose whether previously disclosed cybersecurity incidents have informed changes to policies and procedures. This requirement recognizes that cybersecurity is not a static field and that companies should continually learn from their experiences and adapt their practices accordingly.
A third nuance is the requirement to disclose the company’s use of third-party service providers in managing cybersecurity risks. This requirement recognizes the significant role that third-party service providers often play in a company’s cybersecurity risk management and the potential risks associated with these providers. The Final Rules note that the SEC believes it is essential for investors to know a registrant’s level of in-house versus outsourced cybersecurity capacity, as this information is necessary for investors to assess a company’s cybersecurity risk profile in making investment decisions.
Evolution of Cyber Risk Management Programs
Most public companies already have some level of cyber risk management in place. However, the new final rule will likely drive significant changes in these programs. Companies must ensure that their programs can identify and manage material cybersecurity risks and have processes to disclose these risks promptly.
Companies must also ensure that their boards actively oversee cyber risk management programs. This may require additional training (such as what NACD provides) for board members to understand the company’s cybersecurity risks and the measures to manage them.
Finally, companies must ensure that their cyber risk management programs are integrated with their business strategy and financial planning. This may require closer collaboration between the company’s cybersecurity team, executive management, and the board.
Actionable Advice for Boards, Executives, and Incident Response Teams
For boards, the new final rule underscores the importance of active involvement in overseeing the company’s cybersecurity risk management. Boards should receive regular updates on the company’s cybersecurity risks and incidents and understand how they are integrated into its business strategy and financial planning.
For executives, the new final rule emphasizes the importance of understanding the company’s cybersecurity risks and the measures in place to manage those risks. Executives should work closely with the company’s cybersecurity team to ensure that the company’s cyber risk management program is effective and that material cybersecurity risks and incidents are disclosed promptly in compliance with the new final rule.
For incident response teams, the new final rule highlights the importance of promptly identifying and assessing cybersecurity incidents. Teams should have processes in place to provide leadership, legal counsel, and any other relevant advisors with sufficient information to decide on the materiality of an incident and promptly disclose the incident if it is material.
Implications for the Future
The new final rule will likely have significant implications for public and pre-IPO companies. For public companies, the rule will probably drive changes in their cyber risk management programs and their approach to determining whether disclosing cybersecurity risks and incidents is necessary to comply with new laws and regulations. For pre-IPO companies, the rule may influence their decision to go public, as they must ensure they have robust cyber risk management programs and are prepared to comply with the disclosure requirements.
The new rule may also influence other regulators and standard-setting bodies in the U.S. and internationally. It could lead to more consistent and comprehensive disclosure requirements for cybersecurity risks and incidents, benefiting companies and investors.
Correlations to Other Incident Reporting Requirements
Many public companies are subject to other incident reporting requirements, such as those imposed by the North American Electric Reliability Corporation (NERC), the Federal Trade Commission’s Gramm-Leach-Bliley Act (FTC GLBA), and the Transportation Security Administration (TSA). The new final rule is consistent with these requirements, emphasizing promptly disclosing material cybersecurity incidents. Listed companies should also consider any obligations that may be imposed by exchange listing requirements, such as New York Stock Exchange or NASDAQ listing requirements.
Companies could create efficiencies by aligning their processes to comply with these requirements. For example, they could establish a centralized incident response team responsible for identifying and assessing cybersecurity incidents and determining which incidents need to be reported under which requirements. They could also use a single system for tracking and reporting cybersecurity incidents, which could help ensure consistent and timely disclosures.
The new final rule represents a significant evolution in the SEC’s approach to cybersecurity disclosure. It provides more detailed requirements for disclosing cybersecurity risks and incidents and emphasizes disclosure of the board’s role in overseeing cybersecurity risk management. While the rule has shortcomings, it represents a significant step forward in promoting transparency and accountability in cybersecurity risk management. By understanding and effectively implementing the new rule, companies can comply with their regulatory obligations, enhance their cybersecurity posture, and build trust with their stakeholders.
The contents of this publication are for informational purposes only. Sophos is not rendering legal or other professional advice or opinions on specific facts or matters. Sophos assumes no liability in connection with the use of this publication, and you must seek your own legal or other professional advice or opinions with respect to any SEC reporting requirements.