Time Is of the Essence With SEC's Approved Cybersecurity Disclosure Rules
On July 26, the US Securities and Exchange Commission (SEC) fast-tracked approval of its cybersecurity disclosure rules for publicly traded companies focused on incident disclosure; cybersecurity risk management, strategy, and governance; and the involvement of boards of directors in cybersecurity programs. While many of us didn’t expect official rule adoption until October, the SEC surprised us all and is sending a clear message about the importance it is placing on cybersecurity.
While some of the approved regulations differ slightly from the initial proposal, many of the core tenants remain, including requiring registrants to disclose material cybersecurity incidents within four days after the company has determined that there is a material impact on an information security system and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. Here’s an overview of both requirements as spelled out in the SEC’s announcement:
- New Item 1.05 of Form 8-K requires registrants to disclose any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant from the shareholders’ perspective. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.
- Regulation S-K Item 106 requires registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant's annual report on Form 10-K.
With these new rules adopted, publicly traded companies of all sizes are now in a race to comply ahead of the specified deadlines, which are looming. In the case of incident disclosure, or Form 8-K, the rules will become effective 90 days after their publication in the Federal Register or Dec. 18, 2023 (though smaller reporting companies will have up to an additional 180 days to comply). Form 10-K disclosures will be due beginning with annual reports for fiscal years ending on or after Dec. 15, 2023.
In both cases, companies are battling an aggressive adoption timeline and execution within this short window will require a significant undertaking.
The biggest hurdle many companies will face along their journeys to compliance is overcoming the SEC’s vague language on disclosing material cyber incidents by defining what “materiality” means to them, defining it from the reasonable shareholders’ point of view. Getting this right will require involvement from every stakeholder within the organization, especially information technology and cybersecurity teams, the chief financial officer, and the general counsel.
Each of these stakeholders must identify very specific qualitative and quantitative financial and business factors that affect their company, so they can properly assess what rises to the level of an incident of material impact, or reasonably likely material impact, on the registrant. This is vital to comply with new disclosure rules because once an incident is deemed to have a material impact on a victim, the company has four days to publicly disclose it.
The bottom line is that complying with the SEC’s new rules requires a lot of different parties to meet to put policies, processes, and procedures in place to determine what constitutes a material incident and how to respond if one occurs—and they only have 90 to 120 days to do so.
Elevating the Role of Leadership
While it’s true that the SEC’s new rules come with their fair share of challenges, there are some major steps forward for the industry as well. For example, companies have been reluctant to publicly disclose cyber breaches for fear of reputation and financial repercussions and stakeholder push back.
Omissions of this nature have hindered law enforcement’s ability to catch cybercriminals and prevent similar attacks from happening to other organizations. Now, we can feel more confident that the industry, stakeholders, and law enforcement will get the information they need in a timely fashion for better decision-making and faster enforcement response.
Additionally, though the SEC may not have adopted rules requiring board members to have cybersecurity qualifications, Item 106 is designed to elevate the role of all leadership, including the board, CEOs, and chief information security officers, in risk management. This is a huge win from a cultural standpoint because cyber resilience can only be achieved with company-wide involvement—from the boardroom to the mailroom.
Finally, getting boards and senior leadership more involved in risk management will hopefully help leaders with antiquated perceptions of security as a cost center to shift their thinking to view security for what it truly is: a business enabler.
Next Steps for Publicly Traded Companies
We know the rules and we know the deadlines, but most publicly traded companies only have between 90 and 120 days to meet the requirements. This is an extremely tight timeframe for the extent of collaboration and work that needs to happen to get businesses on the path to compliance.
Once the SEC begins to dole out enforcement actions and noncompliance consequences, we’ll have a better idea of what they are expecting from publicly traded companies. Until then, we must do our best to prepare, and this means acting today by convening all stakeholders within the company to get them focused on determining materiality and putting the steps in place to report and respond should a material incident occur.
Optiv is a NACD partner, providing directors with critical and timely information, and perspectives. Optiv is a financial supporter of the NACD.
James Turgal is the vice president of cyber risk, strategy, and board relations at Optiv.