The SEC’s Cybersecurity Incident Reporting Rule and What It Means to Your Company
With the average cyber attack costing companies nearly $4.5M per breach investors require increasingly consistent and transparent reporting of cyber incidents, just as they require management to report on all other financially material issues. After an extensive comment and review period, the Securities and Exchange Commission (SEC) issued new cybersecurity disclosure rules on July 26, 2023 for publicly traded companies that take effect starting December 18, 2023.
These rules require companies to provide more detailed information regarding their cybersecurity processes and to report material breaches to their operations. With these regulations, the SEC aims to level the playing field between companies reporting on cybersecurity incidents and to enable investors to make more informed investment decisions.
Cybersecurity Incident Reporting
For the past decade, public companies have disclosed attacks in an inconsistent manner. In an effort to streamline reporting of facts and circumstances related to such incidents, the SEC proposed mandatory disclosure requirements for material breaches. The report should including the following information:
Report how the company has fixed or triaged the breach and some next steps to return to normal operations
As a result of comments it received, the SEC clarified that companies should not include technical details about the breach that could provide information to bad actors on how to replicate the attack or hinder proper remediation. Companies must report such attacks within four days after having determined that the breach is material for reporting purposes.
Companies should also consider numerous factors when assessing the materiality of a breach, including its impact on customers, potential litigation, financial and operational impact, and other measures relevant to the company. Materiality will differ from company to company.
Lastly, the rule provides a reporting exception when national security may be at risk. In those instances, the U.S. Attorney General, through the Department of Justice, may communicate to the SEC and prevent the release of more information. The AG may extend the report release at his or her discretion and the company will not be penalized.
Cybersecurity Risk Management Reporting
Similar to reporting of cybersecurity incidents, public companies currently report their cybersecurity risk management inconsistently. The SEC’s new rules provide a consistent and clear methodology for informing investors without disclosing sensitive information. They require companies to describe processes for “assessing, identifying, and managing material risks from cybersecurity threats.”
The rules specify three points that companies must include in their filing to ensure adequate disclosure, but may also allow for additional points as necessary:
Companies must report incidents with form 8-K and then provide any further updates or relevant information during its scheduled 10-Q or 10-K report.
With this rule, the SEC aims to strike a balance between the need for investors to understand a company’s cybersecurity practices and the need to limit the amount of information available to potential threat actors.
Directors’ Cybersecurity Expertise
With the increasing threat from bad actors, the SEC now requires companies to identify cybersecurity experts on their boards. By indicating this expertise, investors will gain better insight on how the company prioritizes cybersecurity risk against other competing needs. Companies must include board experience within the 10-K annual filing and as needed in other reports.
The new rules cover three main points that companies must disclose about their board of directors as overseers of the company:
- Who is responsible for cybersecurity risk
- How the company determines risk
- How the board is informed about cybersecurity risk and how frequently it discusses it
Additionally, the SEC requires companies to enumerate management’s role in cybersecurity, including:
- Who is responsible for measuring and managing cybersecurity risk and their expertise to do so
- What is the process of informing and monitoring the company about cybersecurity risks
- How frequently people report to the board of directors
Disclosure Timing and Penalties
All public companies must start reporting rule S-K: risk management and strategy, and governance, beginning with annual reports for the fiscal year ending December 15, 2023.
The reporting of material cybersecurity incidents begins on December 18, 2023. Smaller companies are given an additional 180 day grace period, or June 15, 2024.
Like all SEC reporting requirements, companies which do not follow these rules are subject to both criminal and civil liability. Company officers including the CEO and CFO must attest to the accuracy of all financial statements and notes, which now encompasses these cybersecurity rules. Additionally, failure to comply with these rules may expose the company to civil penalties through shareholder lawsuits. Lastly, there is a sizeable reputational risk for companies which fail to timely report breaches.
Final Thoughts
The SEC’s new cybersecurity rules provide companies with clear and consistent guidelines to follow post breach. With these rules in place, we expect more companies to be forthcoming about cybersecurity incidents, and for boards to take a more active role in designing and implementing cybersecurity processes.
With the mandatory reporting of material breaches, we anticipate that companies will err on the side of caution and report more breaches initially. This initial wave will have the benefit of creating more comprehensive data for further analysis to better understand the breadth and scope of cybersecurity breaches. After about a year, we anticipate that companies will refine their materiality threshold to reflect what’s been reported.
Though we have long advocated for boards of directors to place stronger emphasis on cybersecurity, we understand full well the constraints of time and experience. The SEC rule is certain to change the calculation and further increase demand for cyber professionals and leaders with cyber experience.
At the very least, leadership teams should ensure that their organizations have already:
- Establish a reporting chain of command for reporting breaches
- Determined a methodology for determining if a breach is material
- Documented processes around reporting and assessing materiality
- Developed a playbook for all levels of the organization to follow once a breach is identified
