New SEC Rules Require Cybersecurity Disclosure How To Prepare
New SEC Rules Require Cybersecurity Disclosure How To Prepare
In July of last year, the U.S. Securities and Exchange Commission (SEC) adopted final rules aimed at enhancing cybersecurity transparency among public companies. These rules mandate the disclosure of material cybersecurity incidents and require disclosures about cybersecurity risk management, strategy, and governance in annual reports.
Understanding the New Rules
The new SEC rules introduce significant changes in how public companies must address cybersecurity incidents and risk management.
Material Cybersecurity Incident Disclosure (8-K Requirement)
Public companies must now disclose material cybersecurity incidents in an 8-K filing within four days of determining the incident is material. Companies must report these incidents quickly to provide investors with timely information.
Ongoing Disclosures (10-K Requirement)
Companies must include material information regarding their cybersecurity risk management, strategy, and governance in their annual 10-K reports, offering investors a broader view of a company’s cybersecurity practices.
Materiality Assessment
Companies must determine what constitutes a “material” cybersecurity incident. While there is no firm definition, it is expected to be based on what a reasonable person would consider when making investment decisions. This introduces an element of judgment into the process.
Companies have flexibility in determining materiality but should consider financial, reputational, and operational impacts when making the final determination. For companies that collect Personally Identifiable Information or Protected Health Information, it’s likely that a cybersecurity incident occurring at the database level would rise to the level of material and require disclosure to the SEC.
Compliance Preparation for Different Types of Companies
The 10-K ongoing disclosure requirements are applicable for all annual reports for fiscal years ending on or after December 15, 2023. The compliance timeline for 8-K incident disclosure requirements varies based on the size and classification of the company, with the rules applicable now for all but smaller reporting companies.
Accelerated Filers
Companies falling into this category should have a comprehensive cybersecurity program in place. This program should encompass a cybersecurity risk assessment, employee training, incident response plans, testing, and cybersecurity insurance.
Smaller Reporting Companies
These companies have more time to comply (until June 15, 2024). These companies must focus on monitoring cybersecurity events and promptly determining their materiality.
Emerging Growth Companies (EGCs)
Effective June 15, 2024, EGCs have a 180-day extension to comply with the disclosure requirements. Effective December 15, 2024, EGCs are required to disclose material information regarding cybersecurity risk management, strategy, and governance in Form 10-K.
Steps to Prepare for Compliance
To ensure compliance with the new SEC rules, companies can take several proactive steps:
-
Conduct a Cybersecurity Risk Assessment: Identify and prioritize potential cybersecurity vulnerabilities across the company’s systems, data, and processes. This should include vulnerability assessments and penetration testing to simulate cyberattacks to assess potential impact and quantify risks. Document the assessment findings, including identified vulnerabilities and risks and provide recommended mitigation strategies to stakeholders. Given the complexity of cybersecurity compliance, many companies may benefit from hiring third-party experts to conduct these assessments and ensure compliance.
In tandem, establish a cybersecurity risk management strategy. Develop or adopt a cybersecurity framework that aligns with industry best practices and regulatory guidelines, such as the Committee of Sponsoring Organization’s framework.
-
Define Implementation Plan: Based on prioritized risks identified in the assessment report, create a detailed plan for implementing the chosen mitigation strategies. Utilize firewalls, intrusion detection systems, data encryption, and access controls to protect critical infrastructure and information. Detecting cyber threats promptly is crucial, as intruders often go undetected for extended periods of time.
-
Develop An Incident Response and Disclosure Plan: Develop and establish clear procedures for detecting, containing, and responding to cybersecurity incidents. Regularly test and update the company’s incident response plan. Consider cybersecurity insurance to mitigate financial losses due to a cybersecurity event.
Additionally, define criteria for identifying and reporting material incidents to the SEC. Maintain comprehensive records of incidents, including scope, impact, and remedial actions. A timely and satisfactory response depends on the continuous monitoring of systems and appropriate disclosure controls, as reporting is required regarding incidents that impact financial statements (and not solely the 8-K disclosure).
-
Establish Governance and Oversight: Define roles and responsibilities across the organization, including the board of directors. Ensure clear chain of command and reporting structure for cybersecurity incidents. Consider forming a dedicated committee to oversee cybersecurity strategy, risk management, and incident response.
-
Ensure Data Security: Classify data based on sensitivity and restrict access based on the “need-to-know” principle. Encrypt sensitive data at rest and in transit. Implement Data Loss Prevention (DLP) solutions to prevent unauthorized data exfiltration.
-
Strengthen Cybersecurity Training: Provide regular cybersecurity training and awareness programs to educate all employees (including executives and board members) on phishing scams, password hygiene, and other cybersecurity best practices.
Companies need to be proactive in preparing for compliance, regardless of their size, and ensure that their cybersecurity practices align with industry standards and regulatory requirements. With the right measures in place, companies can meet the new disclosure obligations while enhancing their overall cybersecurity posture, providing investors with the transparency they need to make informed decisions.