In July 2023, the Securities and Exchange Commission (SEC) adopted new disclosure rules for public companies. Long anticipated, the rules set out requirements for the disclosure of cybersecurity incidents and of risk management, strategy, and governance. According to the SEC, the new rules will address the concern of uneven disclosure practices of cyber incidents by companies, which made it difficult for investors to get a true understanding of a company’s cyber risk.

The original proposal, issued in 2022, was the subject of much comment and criticism. In the current rules, companies no longer need to identify a board cybersecurity expert or issue quarterly disclosures but are required to take action that necessitates both time and financial resources.

You’ve got a few more months left of 2023 to get your house in order.

This blog post, by Graeme Payne, Head of Advisory at Kudelski Security, focuses on what the SEC cybersecurity risk disclosure rules cover, and what Kudelski Security proposes you need to do to prepare.

The New SEC Cybersecurity Risk Disclosure Regulations: Who They Apply To

Rules apply to public companies as well as foreign private issuers (offshore operators).
Rules for other market entities, including broker-dealers, clearing agencies, and national securities associations are being drawn up.

Current Reporting Requirements on Material Cybersecurity Events

The rule requires the following:

• Form 8-K disclosure for public entities
• Form 6-K for foreign private issuers (November 2, 2023, effective date)
• Form 7-K for smaller reporting companies (April 30, 2024, effective date)

Annual Reporting Requirements on Cybersecurity Risk Management, Strategy, and Governance

The new rule requires the following:

• Form 10-K disclosure for annual reports for fiscal years ending on/after Dec 15, 2023, for public entities
• Form 20-F disclosure for foreign private issuers

Current Reporting – Disclosure of Material Cybersecurity Incidents (Form 8-K)

The new rules seek to result in cybersecurity incident disclosures that are consistent and comparable.

Disclosure is required just four days from when the company determines the incident to be material (without reasonable delay from time of incident discovery to determination of whether it is ‘material’ or not). Note there are some limited extensions for national security and customer proprietary network information (CPNI).

This information should enable investors to better evaluate a company’s (or ‘registrant’s’) exposure to material cybersecurity risks and incidents as well as their ability to manage and mitigate those risks.

The SEC has provided the following guidance:

• “Cybersecurity incident” is defined as an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.

This includes accidental occurrences not triggered by a threat actor and a series of related unauthorized occurrences (e.g., malicious actor engaged in a number of continuous cyberattacks related in time and form against a company).

• Information systems means resources owned or used by the registrant

The company must determine whether the incident is ‘material’ or not.

• Existing case law defines material as follows: “there is substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision or if it would have “significantly altered the ‘total mix’ of information made available”.

The SEC instructs registrants to consider both qualitative and quantitative factors in assessing material impact, including:

• Harm to reputation, customer or vendor relationships
• Possibility of litigation
• Possibility of regulatory investigations or action by US or non-US authorities

The SEC also instructs companies to disclose the impact of the incident and ‘reasonable likely material impacts’, including material aspects of the nature, scope, and timing of the incident and material impact (or reasonably likely material impact) on the company including its financial conditions and results of operations.

How to Integrate ‘Materiality’ into Incident Response

The question of what constitutes materiality was one of the more controversial topics of discussion by security leaders. The SEC allows companies to determine this themselves, based on their instruction.

Wherever you end up in your deliberations, you will now need to consider materiality as part of your incident response process.

1. Review your incident response processes to include early determinations of materiality. Materiality determinations include consideration of actual and expected costs in responding to and remediating the incident, as well as potential business impacts, reputational damage, litigation, regulatory investigations, increased insurance, and customer/vendor relationships.
2. CISOs need to work closely with legal, financial, and reporting professionals to ensure data is gathered to inform the materiality determination. Roles and responsibilities around incident management will need to be revisited.
3. Expand incident response simulations (including tabletop exercises) to include the materiality determination process. Incident response is a stressful time and strong communication, chain of command and coordination will be needed.
4. Ongoing incidents may require subsequent amendment of Form 8-K as additional information is gained.

Annual Reporting – Disclosure of Risk Management, Strategy, and Governance (Form 10-K)

From 10-K requires companies to describe their processes for assessing, identifying, and managing material risk from cybersecurity threats in sufficient detail for a ‘reasonable investor’ to understand those processes.

Disclosure allows investors to ascertain practices such as whether there is a risk assessment program in place, with enough detail for investors to understand the company’s cybersecurity risk profile.
The SEC requires you to indicate the following:

• How cybersecurity processes are integrated within an overall risk management system or process. Processes may include unwritten policies and procedures.
• Whether the company engages assessors, consultants, auditors or other third parties in connection with any such processes.
• Whether the company has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service providers.
• Whether any risks from cybersecurity threats (including as a result of previous incidents) have materially affected (or reasonably likely to affect) the company, including its business strategy, results of operations or financial condition; if so, how.
• Management’s role in assessing and managing the company’s material risks from cybersecurity threats including:
  • Management positions on committees responsible for assessing and managing such risks and relevant expertise of such persons (in such detail to fully describe the nature of their expertise)
  • Processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents
  • Whether such persons or committees report information about these risks to the Board of Directors or a committee or subcommittee of the Board

You are also required to describe your Board’s role on oversight of risks from cybersecurity threats and whether any board committee or subcommittee is responsible for cybersecurity oversight, including the processes by which they are informed.

Annual Disclosure and the Impact of the SEC New Rule on Cybersecurity Risk Management, Strategy, and Governance

While the new rules will increase transparency and accountability on how companies are managing and to some extent governing cybersecurity risk, initial disclosures of processes will likely vary greatly. As companies work out what content and level of detail is actually required of them in practice, we can initially expect some vagueness in first reporting. Maturity will improve over time and an industry benchmark will eventually emerge.

The inclusion of cybersecurity risks related to the use of third parties will increase focus on supplier risk management programs. This also highlights potentially under-reported and not well understood systemic risks that every organization faces. Systemic risk was highlighted in the recent National Cybersecurity Strategy.

While some of the Board governance proposals were excluded in the final rule, we expect leading practice companies to embrace many of the proposed practices related to boardroom leadership, policy and practice.

Notably Absent – Cybersecurity Expertise on the Board of Directors

A notable absence from the new rulings was the stipulation that companies include cybersecurity expertise in their board of directors.

The original SEC proposal was to include it, but this turned out to be another contentious issue and consequently removed from the final rule.

The eventual omission shows us that – in many quarters – a compliance-based approach to cybersecurity persists. In our opinion, this is shortsighted. The rule would have significantly increased the depth of cybersecurity expertise on boards and significantly strengthened its role in governance of cyber risk. We only need to look at the SOX reform that required disclosure of financial expertise on the Board of Directors, to see its impact on enhanced financial reporting and governance practices.

That said, this is the way cyber-mature companies are going. With major companies, including Visa, Nordstrum, Zoom, and Salesforce appointing cybersecurity experts to their boards, we see an important precedent being set, which we anticipate becoming the industry standard.

How Kudelski Security Can Help

If you want details, the SEC adopting release is available here, and their fact sheet available here.
If you want to know what practical, preparatory steps your company should take regarding incident response, cybersecurity risk management, and governance and reporting, download the check list here or get in touch with me at [email protected]