SEC Votes to Require Reporting and Risk
Management for Public Companies
Regulatory Alert
Estimated Reading Time = 5 mins. 40 secs.
Written for:
Cybersecurity Industry
Policy Brief:
Most publicly traded companies will begin reporting cybersecurity incidents as of December 18, 2023. Some smaller publicly traded companies will have until June 15, 2024.
The Final Rule made some changes with regard to disclosure and reporting requirements to the NOPR published in March 2022.
Cybersecurity risk management information will be reported in the company’s annual report.
On July 26, 2023, the Securities and Exchange Commission (SEC) voted 3-2 to finalize regulations adopting report and risk management disclosure requirements for cybersecurity attacks on public companies. The final rule modifies the disclosure requirements from the March 2022 Proposed Rule (NOPR) [see Cybersecurity #6 for the entire summary of the NOPR] published by the Commission. The SEC Rule is another key effort of the U.S. Government’s key focus on cybersecurity, pushing toward accountability and increasingly concentrated on enforcement actions.
What to Know About the New Rules
1. Disclosure
Public companies must now disclose “any cybersecurity incidents that they experience that is determined to be ‘material’ within four days” via a Form 8-K, Item 1.05 filing. The report must include the description, nature, scope, timing, and impact on the company. The timing for the company to determine “materiality” is based upon the requirement of “without unreasonable delay.”
Both the materiality determination and the without unreasonable delay time period are vague within the Final Rule. The determination threshold for reporting is based upon the material impact or “reasonably likely” material impact of the cyberattack on the company, including on its financial condition and results of operations.
The rule creates problems similar to those found in consumer credit reporting and financial services data privacy rules in that the standard could pressure companies to draw conclusions about incidents with insufficient information. While the SEC revised the timeline in the Final Rule, the adopting release addressed the issue by stated there may be instances where a company does not have complete information about the incident but knows enough to determine that the incident was material, such as when incidents impact key systems and information or involve unauthorized access to or exfiltration of large quantities of particularly important data. The standard of “unauthorized access” to large quantities of data is also problematic in the Rule as it creates questions over whether or not certain unauthorized accesses of data internally (but not exfiltrated) is a “material” incident. The Commission indicated that companies should consider qualitative factors in assessing the material impact of an incident, and indicated that harm to a company’s reputation, customer or vendor relationships, or competitiveness, and the possibility of litigation or regulatory investigations or actions, were all examples of potential material impacts on a company.
The rule also carries forward the broad definition of “cybersecurity incident” found in the consumer credit and financial services regulations and defines it as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” Information systems covered within the rule are not limited to those owned by the company but may include those used, such as SaaS, by the company, which clearly covers information resources owned by third-parties. Note as well, the “incident” isn’t limited to a single event but may include a series of smaller events that are combined to create an “incident.”
2. Risk Management Strategy and Disclosure
The rule requires public companies to disclose a process but stops short of requiring disclosures of the procedures taken by the company in the event of an incident. Within the company’s 10-K, the companies must annually describe the process for “identifying, assessing, and managing materials risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.” The rule also requires public companies to describe “if the risks have materially affected or are reasonably likely to materially affect [the company]…including its business strategy, results of operations, or financial condition.”
Companies are going to have to walk a fine line on this issue. Providing “sufficient detail…to understand those processes” creates the potential to expose vulnerabilities. The difference between providing a general process versus the actual procedures used by a company while complying with the 10-K disclosure will be difficult. Complying with the rules while at the same time describing cyberattacks without revealing incident response procedures, security controls, or being too descriptive about a company’s connectivity. The provision of the disclosure may create a roadmap for targeting certain industries or companies and increasing cyberattacks.
Specifically, the disclosure requires a company to address the following non-exclusive list of items:
Whether and how any such processes have been integrated into the company’s overall risk management system or processes;
Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
Whether the company has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
Companies must also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition and if so, how.
What’s Next for Public Companies
In discussing the rule with various law firms around D.C., the main impact and advice provided is that cybersecurity requirement are no longer the single responsibility of the information technology departments or Chief Information Officers. They now require the involvement of finance, human resources, talent acquisition, government affairs, and legal on an ongoing basis for compliance and development of response processes. In our notification to publicly traded clients, Capitol Core strongly suggested immediate dissemination to counsel for interpretation on “how” to meet the effective dates of the rule.
Secondarily they recommended updating existing plans/protocols and increasing management visibility to gain understanding as well as determine respective roles. This includes conducting tabletop exercises to pressure test these plans and help employees practice responding to a live cybersecurity incident before a real crisis occurs.
Lastly, companies are going to need the tools to identify potential gaps and provide the narrative to the cybersecurity risk management without increasing the potential of attacks as a result of the disclosure.
For Cybersecurity Providers
For industry providers, the Rule coupled with the known push to reassign liability for cyberattack incidents [See Cybersecurity #11] creates a cautionary tale. Publicly traded companies in the U.S. will rely heavily on cybersecurity providers as part of the procedures needed to prevent or address future attacks. Providers on the Risk Management side will be called upon to assist in developing the processes and identifying the areas of vulnerability. Provider markets will open up to include legal, finance, people, operational departments, and third-party providers. Solely marketing to ITs and CIO/CTOs are now a thing of the past. But industry providers must fully understand the liability, compliance and new/pending regulatory requirements for cybersecurity in each individual industry. Multiple cybersecurity plans will be required for utilities, communications companies, and supply chain providers already designated as “critical infrastructure providers.” Disclosures of an attack on public companies increases the steaks for financial impact, and providers will be included in that liability.
Capitol Core clients will have an advantage as we maintain a close eye on regulatory requirements and make sure our clients have advance knowledge, to allow for quick adaptation to the changing environment.
Referenced Documents
The Securities and Exchange Commission Final Rule can be found here.
A SEC Fact Sheet on the Rule can be found here.
From the Hill is an industry snapshot for Capitol Core Group clients in select industries of interest. It is compiled from Capitol Core research and discussions as well as outside resources including Bloomberg Government, Roll Call, Reuters, and other relevant sources. All data provided is public data but is compiled for ease of understanding.
This is the twelfth in the series on the topic of cybersecurity since 2020 and is a policy overview. Capitol Core initiated this snapshot due to the Final Rule promulgated by the Securities Exchange Commission.
Michael W. McKinney leads Capitol Core’s “technology” practice area which includes cybersecurity.