The SEC has recently released its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. This will have significant cybersecurity implications for many organizations across the USA. With the new SEC disclosure rules coming into effect in mid-December, many companies that are required to comply with SEC cyber requirements will be reinforcing their cybersecurity posture in order to withstand investor scrutiny.
The new SEC disclosure rule extends public company cyber disclosure requirements while also streamlining them. The fact that these disclosures will be public is driving renewed efforts to demonstrate that robust cybersecurity measures are in place.
In the first article in a two-part series, we will walk you through the SEC disclosure requirements to empower your business to understand how to align its SEC cyber reporting with the changes, ahead of the requirements coming into force in December. In our following piece, we will discuss the practicalities of complying with the new SEC disclosure requirements.
The New SEC Disclosure Rule and Form 8-K
The final rule requires that companies provide details describing their cyber program in their annual 10-K filings.
It also requires mandatory and faster filing (within 4 days) of Form 8-K, once the materiality of an incident is determined.
A cyber incident is defined by the SEC as an unauthorized occurrence (which can arise from an internal or external source) that happens on or via a registrant’s information systems which jeopardize the confidentiality, integrity or availability of the registrant’s information systems and data residing within them.
There are some additional clauses that address exceptional circumstances, such as when the US Attorney General determines that immediate disclosure would pose a substantial risk to either national security or public safety.
In summary, registrants that experience unauthorized events that jeopardize the confidentiality, integrity and availability of their information systems and the information within them, will be required to file Form 8-K with details of their cybersecurity program, which in turn, will be open to public scrutiny. There are certain rarer instances where this can be required immediately.
Public Company Cyber Disclosure Requirements
Public companies will need to make disclosures in three key areas: cyber incident reporting, cyber risk management and strategy, and cyber governance. By knowing these SEC cyber reporting requirements, you can understand how to comply with the new SEC disclosure requirements in your SEC Form 8-K and Form 10-K reporting.
Cyber Incident Reporting (SEC Form 8K)
This entails submitting Form 8-Ks in the case of a material incident. In a nutshell, materiality refers to the degree to which an event is likely or certain to influence an investor’s decision to buy, sell or hold securities. The cyber incident reporting requirements include:
- Describe the nature, scope and timing of the incident, as well as the definite and likely material impact that it has had on the registrant company.
- Insofar as the required information is not determined or unavailable at the time of filing, the 8-K will be required to disclose this, with the 8-K also being required to be amended when the information is determined or becomes available.
- Form 8-Ks will need to be submitted within four days of the determination of the incident’s materiality.
Cyber Risk Management and Strategy
This entails describing the company’s process for assessing, identifying and managing material risks from cybersecurity threats in a form 10-K. There are two key disclosure requirements here:
- Assessing whether cybersecurity is part of the overall risk management program of the company, including the methods and degree to which it engages consultants, auditors or other third parties; this also includes disclosing the processes to oversee and identify the risks arising from using third parties.
- Assessing whether and in what ways any risk from cybersecurity threats have materially affected or are reasonably likely to affect the registrant’s business strategy, operational results, or financial condition.
This entails providing a description of the company’s governance of cybersecurity risks, including:
- The board’s oversight of and assignment of responsibilities for cybersecurity risk. Specifically including identification of board committee or subcommittee members that are responsible for oversight, as well as the process by which the board is informed about cyber risks.
- A description of management’s role and expertise in managing and assessing material cybersecurity risks.
Prepare Your Business to Comply with the SEC Cyber Reporting Requirements
By understanding the new SEC disclosure requirements, you can begin to take steps to prepare your business for its annual form 10-K filings, as well as any 8-K filings triggered by material incidents. As these disclosures will be public, the commercial success and integrity of many SEC-regulated businesses will be at stake, making fast and decisive action essential ahead of the new disclosure requirements coming into effect in December.
Elevate Your Cybersecurity and SEC Compliance: Get a CNE Audit Today
Want to gain comprehensive and total insight into your current SEC cyber compliance posture and map a concrete pathway to align your business with the new requirements? Our CNE audit offers the clarity and actionable insights that you need to bring your business up to standard with the new SEC requirements. Get a one-off audit for $895 or get a year-long service of regular quarterly audits for $1495. Get in contact with CP Cyber today, to elevate your cybersecurity and compliance, and gain peace of mind.