In our last article we explained the SEC’s new disclosure requirements under the new SEC disclosure rules for Form 8-K and Form 10-K. These disclosure requirements relate to three key areas; cyber incident reporting, cyber risk management and strategy, and cyber governance.
In the previous article, we outlined the descriptive requirements involved in SEC cyber reporting for these key areas, however the question arises: how can I practically implement these requirements in my cyber reporting? In this article, we will delve into the practical considerations involved in achieving compliance with the SEC’s new disclosure requirements.
The SEC’s New Cyber Disclosure Rule
As a recap, on July 26, 2023, the SEC unveiled an extensive new framework of cybersecurity disclosure rules, that will reshape the responsibilities of public companies in their reporting of cybersecurity incidents. These new disclosure rules are set to take effect from mid-December. These new rules are something of a departure from the SEC’s initial proposal, with this prompting many decision-makers to practically ensure that they are aligned with new public company cyber disclosure requirements.
Key Pillars of the New SEC Disclosure Rule
The new cyber disclosure rule is underpinned by several pillars, each being designed to enhance transparency and the verifiable strength of cybersecurity practices:
Timely disclosure on Form 8-K: A cornerstone of the rule mandates that public companies swiftly disclose any material cybersecurity incident on Form 8-K within four business days of determining its materiality. This mechanism is designed to empower investors with rapid access to critical information pertaining to cybersecurity threats.
Materiality assessment: A critical aspect of the rule revolves around assessing an event’s materiality without undue delay. The assessment of materiality requires a holistic consideration of factors such as data volume, sensitivity, entry points of threat actors, potential data exfiltration, and the broader impact of operational disruptions. We will cover the SEC’s guidance on assessing materiality shortly.
Cybersecurity risk management and strategy: Public companies are now entrusted with describing their robust processes for assessing, identifying, and effectively managing material risks arising from cybersecurity threats. This mandate extends to articulating the potential ramifications of these risks on the company’s strategic direction, financial stability, and operational performance.
Cybersecurity governance: This aspect focuses on the role of the board of directors in overseeing cybersecurity threats. It necessitates a comprehensive description of management’s involvement in evaluating and mitigating material cybersecurity risks.
Structured data requirements: Elevating the standard of transparency, companies are required to tag disclosures using the inline XBRL format. This structured approach not only streamlines access to reporting information but also ensures that disclosures exhibit more uniformity and transparency for investors.
Assessing Event Materiality (SEC Form 8-K)
Cybersecurity incidents are only required to be reported if they have a material impact. Firms are now required to assess materiality without “undue delay”. Materiality refers to the definiteness or likelihood that an event will influence a reasonable investor’s decision to buy, hold or sell a security; in other words, the degree to which an event has an impact on the information available to investors, that in turn, will affect their decisions.
In terms of guidance, the SEC provides a general outline of what to provide in a materiality assessment, these are:
Quantitative factors: numerical impacts, such as the volume of impacted data, duration of a breach, the length of time in which systems were disrupted, potential loss of revenue and other financial impacts.
Qualitative factors: descriptive considerations, such as how systems were breached, the sensitivity of the exposed data, mitigatory factors such as data and system backups, as well as whether the data was accessed or stolen.
Holistic over mechanistic: The SEC has noted that disclosure reporting on incident materiality should be holistic rather than mechanistic. This can be taken to mean that alongside discussing the linear processes, events and impacts involved in the breach, a wider, more multi-layered and interconnecting approach should be used. This can include examining impacts on stakeholders, how wider attitudes may have contributed to the event, and the role of policies and strategies. A holistic assessment will examine how qualitative and quantitative factors influenced each other.
Annual SEC Form-10K Disclosures: Cybersecurity Risk Management, Strategy, and Cyber Governance
Turning more broadly to the public company cyber disclosure requirements that will need to be fulfilled, these are the key initiatives that public companies should be undertaking to achieve compliance with the SEC’s new cyber disclosure requirements.
- Evaluate cybersecurity processes: Embark on a comprehensive assessment of your organization’s mechanisms for identifying, evaluating, and mitigating material risks stemming from cybersecurity threats. It is imperative that your risk management strategy is aligned with these processes and the new disclosure requirements outlined here. The disclosure of cybersecurity processes should also include consideration of engagements with third parties for these purposes, and the risk management processes in place for these engagements.
- Consolidate incident response protocols: Build and refine your incident response protocols to ensure they are both comprehensive and responsive. These protocols should delineate precise steps to be taken in the event of a cybersecurity incident, which will facilitate a full and faster materiality assessment and reporting process.
- Ensure a proactive role of the board: Reinforce the board’s vigilance and oversight concerning cybersecurity risks. Annual filings will require defining the precise roles and responsibilities of board members and any pertinent committees in evaluating and managing material cybersecurity threats. Companies will also need to define the process of how the board is informed about cybersecurity risks.
The SEC has emphasized that this list is not exhaustive; where possible, additional measures to empower management and risk management processes should be taken. Alongside this, providing the depth of detail needed to empower reasonable investors to understand cybersecurity processes will be crucial.
In all, each public company will need to chart their course to achieve compliance with the SEC rules, but by understanding the practical and descriptive stipulations of the new SEC Disclosure requirements, you can start to take the proactive steps that you need to achieve full compliance and confidence, while elevating your cybersecurity and commercial posture in the process.
Elevate Your Cybersecurity and SEC Compliance: Get a CNE Audit Today
Want to gain comprehensive and total insight into your current SEC cyber compliance posture and map a concrete pathway to align your business with the new requirements? Our CNE audit offers the clarity and actionable insights that you need to bring your business up to standard with the new SEC requirements. Get a one-off audit for $895 or get a year-long service of regular quarterly audits for $1495. Get in contact with CP Cyber today, to elevate your cybersecurity and compliance, and gain peace of mind.