Cybersecurity Incident Disclosure

Surveys have shown that 7 out of 10 business leaders believe that cybersecurity risks are rising in recent years, partly thanks to increased adoption of digital tools and cloud-based business workflows.

Cybersecurity has always been a high priority for modern organizations, and investors and customers alike want to know the digital security posture of the businesses they work with. To that end, the United States Securities and Exchange Commission (SEC) has begun requiring public companies to disclose the details of cybersecurity incidents.

What Is the SEC?

The SEC is an independent agency of the United States government designed to chase after cases of market manipulation. It was formed as early as 1934 and has since then made and enforced several major statutes such as the Securities Act of 1933, the Sarbanes-Oxley Act of 2002, and various others.

The agency maintains three main pillars of its objectives:

• Ensuring fair market competition
• Protecting investors
• Assisting in the formation of capital

In doing so, the SEC mandates public companies submit annual financial reports and an executive-written narrative account known as the management discussion and analysis, or MD&A. These reports are meant to explain the previous year of operations as well as future plans.

How the SEC Cybersecurity Disclosure Requirements Work

In early March of 2022, the SEC proposed new requirements regarding the cybersecurity disclosure and reporting protocols that are now necessary for public companies. It specifically targeted incidents of data breaches and other security problems and the ways the companies should have addressed those risks.

Under the new regulations, companies must report on both current and past cybersecurity incidents and have plans in place to oversee new risks as they come along. Any governance, risk management, and general strategy regarding cybersecurity must be divulged here.

These new rulings have several implications:

• The SEC is emphasizing that cybersecurity is now a prevalent part of general risk management in the enterprise space.
• Data breach disclosure requirements are now prescriptive and mandatory. They are also based on rules rather than principles.
• The agency notes that past disclosures of cybersecurity incidents were “inconsistent” and “may not be timely.” The new guidance is intended to amend these issues.

This cybersecurity SEC guidance is certainly not new, as the agency has been known to implement similar rulings in the past, such as the guidance it offered back in 2011 and 2018. However, recent developments in high-profile cyberattacks against both large and small businesses have driven more comprehensive awareness and enforcement policies.

Specific Details of the SEC’s Cybersecurity Reporting Requirements

Organizations should consult with their legal and cybersecurity teams regarding these new compliance measures. Some of the details to take note here include the following.

Form 8-K

Under Form 8-K, businesses must disclose the details of a material cybersecurity incident within 4 business days of determining that such an event has occurred. The contents of the report must include:

• The date of discovery
• Description and scope of the incident, such as whether any sensitive data was stolen
• Impact on corporate operations
• Status of the incident, such as whether it’s still ongoing
• Remedial measures undertaken by the company

Such a report is only necessary once the incident is known to be material instead of once the incident is discovered. It’s also worth noting that businesses do not have to disclose certain details of its planned response to cybersecurity incidents, as doing so could potentially impede said response.

Cybersecurity Risk Management, Strategy, and Governance

The disclosure requirements extend to other aspects of corporate risk management and governance:

• Descriptions of a company’s formal cybersecurity risk assessment program
• How it uses third-party auditors and consultants to assist in the initiative
• Handling of cybersecurity risks related to third-party vendors and partners
• Efforts taken to prevent future incidents and recover from past ones
• How overall business strategy and financial planning have evolved to meet the needs of cybersecurity incident prevention

And finally, it’s just as important for companies to monitor new developments in cybersecurity disclosure regulations. For instance, a new law coming into effect will be the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which targets owners of critical infrastructure and their own approaches to cybersecurity incident reporting and prevention.