At the close of 2023, the U.S. Security and Exchange Commission’s (SEC or Commission) cybersecurity reporting requirements went into effect for public companies.
The SEC’s rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure for public companies (the Cybersecurity Rule or Rule) mandate annual disclosure of company-level cyber protections and potential risks; board oversight and the role of company management in assessing and managing cybersecurity risk; and real-time disclosure of cyber incidents deemed material.
We examine what this means for companies and provide actionable guidance to help you manage cybersecurity risk and ensure Rule compliance.
The SEC & Cybersecurity
The SEC’s broader regulatory framework is designed to protect investors, maintain fair, orderly, and efficient financial markets, and facilitate capital deployment. SEC-registered companies must publicly disclose financial, operational, and legal risks deemed material to an investor’s decision to hold their securities.
Cyber risk can be as potent as any other when it comes to damaging enterprise value. Companies rely on digital infrastructure for virtually every aspect of their operations, from internal communications and data management to customer interactions and e-commerce. A cyber incident, such as a data breach, can harm a registrant’s reputation, customer and vendor relationships, and bottom line.
Since 2011 (and with updates in 2018), the SEC’s Division of Corporation Finance has provided interpretive guidance on disclosing material cybersecurity risks and incidents, though stopped short of requiring standalone reporting.
The Cybersecurity Rule changes that: The Rule reflects an elevated understanding of cybersecurity risk as an enterprise-level hazard一comparable to other business risks and within the oversight scope of the company’s board of directors and corporate management responsibilities.
With these standardized disclosure protocols, the Commission is mandating stronger reporting consistency so that investors and markets can more accurately evaluate and compare company-level cybersecurity postures, breaches, and impacts on their investment decisions.
The SEC Cybersecurity Rule
The Cybersecurity Rule consists of two primary parts: new items 106 to Regulation S-K and 1.05 on Form 8-K. Relevant sections are described below:
-
Regulation S-K Item 106(b)一Risk Management and Strategy
Companies must annually disclose their processes for assessing, identifying, and managing material cybersecurity threats, including any material effects or reasonably likely material effects from such threats on business operations, strategy, or financial condition.
-
Regulation S-K Item 106(c)一Governance
Companies must disclose the board of directors’ oversight of cybersecurity risk and management’s role in evaluating and managing material cyber threats.
Regulation S-K items must be disclosed on Form 10-K, provided annually to the Commission, beginning with annual reports for fiscal years ending on or after December 15, 2023.
-
Form 8-K Item 1.05一Material Cybersecurity Incidents
Companies must disclose any cybersecurity incident they determine to be material with descriptions of the material aspects of its nature, scope, timing, impact, or reasonably likely impact. This includes material impacts from incidents associated with third-party partners. A materiality assessment and determination must be made 'without unreasonable delay' once the cyber incident is discovered and include impacts on the company’s financial condition and results of operations.
An Item 1.05 Form 8-K must be filed with the SEC no later than four business days after a company has determined the incident is material.
Additional components of Item 1.05 and other related provisions are summarized below:
-
Amendments to Prior 1.05 Form 8-K Submissions
Companies must amend previously filed 1.05 Form 8-K submissions to include additional relevant information not determined or available at the initial 1.05 Form 8-K submission.
-
National Security & Public Safety Exceptions
The Rule allows companies to delay disclosure beyond four days when the United States Attorney General (AG) determines immediate disclosure would pose a substantial risk to national security or public safety. The AG must communicate this to the SEC in writing.
Under this scenario, a company must request a delay within four business days after establishing materiality. Requests can be made via Federal Bureau of Investigation (FBI) field offices or another U.S. government agency, such as the U.S. Secret Service, the Cybersecurity & Infrastructure Security Agency (CISA), or another Sector Risk Management Agency (SRMA). The United States Department of Justice (DOJ) and FBI have issued guidelines to facilitate delay requests.
At the AG’s discretion, an initial delay can be extended for 30 days, with additional delays of up to 90 days (120 days total). An SEC exemptive order is required for additional delays beyond the 120-day mark.
Cyber incident disclosure requirements went into effect on December 18, 2023; however, smaller companies have until June 15, 2024, to meet them.
-
Submissions Required for Foreign Private Issuers
Comparable disclosures are required by Foreign Private Issuers (FPI) on Form 6-K for material cybersecurity incidents and Form 20-F for cybersecurity risk management, strategy, and governance.
-
Format
All registrants must tag disclosures in Inline eXtensible Business Reporting Language (Inline XBRL) starting one year after initial compliance with the new requirements.
Implementation Considerations & Best Practices
Adherence to parts of the Cybersecurity Rule is likely to be demanding for many companies, especially at first.
For example, the Rule was intentionally crafted with vague language, allowing companies to interpret terms such as ‘materiality’ and ‘risk management’ to align with their unique business circumstances. And while interpretive flexibility can be helpful, it also means companies must establish appropriate definitions and frameworks through which to build and assess their cybersecurity postures. Furthermore, timing requirements for incident disclosure are tight, putting additional stress on cybersecurity teams already in the throes of incident management.
That’s where Cybersafe can make a difference: Below, we offer expert insights on how to help navigate these and related challenges more effectively.
Determination of Materiality
A ‘material’ impact on business operations, strategy, or financial condition is referenced throughout the Rule as the primary standard for disclosure.
In this context, the SEC relies on its previously established definition of materiality found in the Securities Act Rule 405 and Exchange Act Rule 12b-2: In summary, an impact is generally considered material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision, or if it would significantly alter the ‘total mix’ of information available.
That said, companies are left to establish their own definitions of what specifically constitutes a material cyber threat or incident to their businesses. This includes assessing impacts on the company’s ‘financial condition’ and ‘results of operations.’ However, quantitative thresholds of materiality can vary significantly from industry to industry, if not firm to firm. For example, a 5-percent reduction in net income could be significant for some companies and relatively innocuous for others.
Additionally, the Commission indicates companies should consider the harm of a cyber incident to qualitative measures, such as brand reputation, customer and vendor relationships, or ability to compete.
Faced with these challenges, the CISO (or other cybersecurity officer) should ensure they have a granular understanding of their business一what drives success, operational or other vulnerabilities, and the types of cyber incidents that could inflict significant harm in these areas. We also suggest consulting with the company’s Chief Financial Officer (CFO), who likely contends with materiality issues frequently.
Finally, whatever the definition of materiality used, we recommend legal counsel review it to ensure it’s defensible, should the question arise from investors or other stakeholders.
Implementing Cyber Risk Management
Compliance with Regulation S-K will require companies to develop and document their understanding of cyber risk and how best to defend against it.
A great place to start is with the company’s definition of materiality (see above). This can be used to prioritize the methodologies, controls, and defenses designed to help protect the business’s greatest assetsーthose that, if compromised, could result in material cyber incidents.
Partnering with a seasoned cybersecurity expert, such as Cybersafe, can uncover key vulnerabilities, enhance protections, and strengthen your security posture. For example, Cybersafe can provide comprehensive cyber risk assessments across IT infrastructure, systems, policies, and procedures to identify gaps before they’re exploited.
Additionally, next-generation Managed Detection and Response (MDR) technology, Cybersafe’s SOL XDR solution, enables its professionals to proactively identify threats, recommend and implement effective remediation and recovery strategies, map organizational cyber maturity against industry standards, and assist in the development and documentation of targeted security policies.
Getting Your Corporate Board Up to Speed
According to legal news platform Law.com Radar, data-breach class action lawsuits are on the rise, with a 2023 monthly average of 44.5 through the end of August一more than double the rate of 20.6 in 2022. Notable settlements include T-Mobile, which agreed to pay plaintiffs $350 million, and a $190 million settlement by Capital One.
Still, moving the board of directors from a limited appreciation of cybersecurity to a more proactive oversight posture will also be a significant challenge for many organizations. This provision, as outlined in Regulation S-K 106(c), underscores the gravity with which the SEC views cyber risk and its requirement that company leadership manage it at the enterprise level.
On the ground, this will likely require senior management to report to the board on the company’s cybersecurity program, including materiality definitions, initiatives, and SEC reporting preparedness一not easy for CISOs and others who haven’t experienced many cyber incidents.
A trusted cybersecurity partner, such as Cybersafe, can help clarify forward risk priorities for company leadership, articulate the value of cybersecurity investment, conduct periodic security validation via Breach and Attack Simulation to ensure current levels of security comply with stated security programs, and assist with security policy development and documentation.
Incident Response & Reporting Timeline
Cyber incidents can unfold over days and weeks, if not longer. Determining materiality under these circumstances can be a time-consuming and complex undertaking. As such, compliance with the Commission’s four-day reporting window will likely be a daunting task for any cybersecurity team.
That said, key first steps in managing a cybercrime event should be in place before it occurs: comprehensive preparation and prevention. This is foundational to Cybersafe’s best-in-class approach to digital forensics and incident response. Its experts have the experience, industry expertise, and tools (such as the aforementioned SOL XDR) to undertake a robust incident response, including route cause and breach path analysis, that’s effective and timely.
By leveraging elements from prevailing security frameworks and its proprietary advanced malware detection and incident response platform, Cybersafe’s incident handlers can resolve events earlier一with faster business resumption and less downtime overall.
As an aside, should you decide a cyber incident meets the threshold of a national security or public safety risk and have submitted a delay request, we recommend you still concurrently prepare to disclose the incident on Form 8-K should the Attorney General deny the request.
Third-Party Risk Management
The increasing involvement of companies with third-party providers and clients for information technology, business services一or just business一greatly expands their own cyber attack surface.
The SolarWinds incident stands out as a particularly pernicious and far-reaching attack in which software updates were used as a vector targeting the networks of thousands of SolarWinds customers.
Despite this lack of direct control associated with third-party partners, companies still carry the burden of material-event disclosure. As such, understanding third-party exposures and how to address them can help mitigate their effects.
Cybersafe offers a variety of tactics that, together, can help reduce your risk to this increasing threat. Key components include using a due diligence questionnaire (DDQ) for insights on a partner’s cybersecurity posture; implementing protocols for data access and sharing banking information; implementing MDR to scan network endpoints and the cloud; and perhaps most importantly, employee cyber awareness training.
Security Awareness Training and Education (SATE) plays a crucial role in enhancing cyber defense by empowering individuals to recognize potential cyber threats, protect sensitive information, practice safe online behavior, and foster a security-aware organizational culture.
Notably, emphasizing cybersecurity awareness is a critical strategy in reducing the financial impact of data breaches. IBM's research indicates employee cybersecurity awareness training ranks as the second most effective measure in diminishing the costs associated with data breaches.
Key Takeaways
Navigating the SEC’s Cybersecurity Rule presents a unique set of challenges and opportunities for companies. With its emphasis on transparency and detailed reporting, the Rule underscores the critical importance of robust cybersecurity practices in today's digital landscape.
Public companies must now take a more proactive approach to cybersecurity that not only meets compliance requirements but also helps maintain the trust of investors and customers and safeguard the future of their businesses. This latter point should be the focus of every cybersecurity program.
By embracing this approach and working closely with cybersecurity experts such as Cybersafe, companies can turn these challenges into catalysts for strengthening their overall cybersecurity resilience and enhancing their long-term success in today’s evolving digital landscape.
Cybersafe is a leading Managed Security Service Provider (MSSP) providing unmatched continuous monitoring, risk assessment, and incident response. For more about how to bolster your cybersecurity posture with our services, schedule a consultation or contact us today.