How to Prepare for Compliance With the SEC Cybersecurity Rules Update

In a landmark decision on July 26, 2023, the Securities and Exchange Commission (SEC) brought about a seismic shift in corporate disclosure regulations. With a slim 3-to-2 majority vote, the SEC gave their final stamp of approval to a rule that is set to reshape the playing field for public companies. 

So, what’s all the buzz about? 

This game-changing SEC cybersecurity disclosure rule now makes it mandatory for public companies to lay bare “material” cybersecurity incidents within four days of determining their materiality. In addition, details related to cybersecurity risk management, strategies, and governance must be disclosed.

So, what’s on the to-do list for public companies?

A whirlwind of tasks awaits them. 

Public companies must scrutinize their existing disclosure controls and procedures, create a solid framework for determining materiality, and get everyone involved in the disclosure process. It’s also time to give third-party cybersecurity incident procedures a good once-over.

The SEC cybersecurity final rule culminates in a significant regulatory journey that commenced with the SEC’s rule proposal in March 2022. The initial proposal generated extensive commentary and criticism, leading to substantial revisions in the disclosure requirements related to cybersecurity. The final rule introduces significant new obligations to public companies.

SEC Cybersecurity Rules 2023 Key Requirements

Material Cybersecurity Incident Disclosure

Public companies must promptly disclose material cybersecurity incidents via Form 8-K within four business days of determining the incident’s materiality.

Annual Cybersecurity Risk Management and Strategy Disclosures

Companies must provide annual disclosures within Form 10-K regarding cybersecurity risk management and strategy. This includes details about their processes for managing cybersecurity threats and whether such threats have materially impacted the company.

Annual Cybersecurity Governance Disclosures

Companies must also make annual disclosures within Form 10-K concerning their cybersecurity governance. This encompasses information about oversight by the board and management.

SEC Cybersecurity Rules Effective Dates

To facilitate a smoother transition, the compliance deadlines for the SEC cybersecurity disclosure rules are staggered, as follows:

• Form 8-K Incident Disclosure Requirements

Most public companies must begin complying with these requirements the later of December 18, 2023, or 90 days after the final rule’s publication in the Federal Register.

• Smaller Reporting Companies

Smaller reporting companies are eligible for an extended compliance deadline for Form 8-K incident disclosures. They have until June 15, 2024, or 270 days after the final rule is published in the Federal Register.

• New Annual Disclosure Requirements

All public companies must adhere to the new annual disclosure requirements in their annual reports on Form 10-K or 20-F for fiscal years ending on or after December 15, 2023.

High-Level Roadmap to Compliance

Assess Cybersecurity Expertise

Examine the composition of your board to identify cybersecurity expertise or determine the need to acquire it. Investing in this expertise not only enhances resilience but also reflects its priority within your organization.

Having board members with cybersecurity expertise is an investment in the organization’s long-term security. It demonstrates that cybersecurity is a top priority, reassuring investors and stakeholders.

Evaluate Your Risk Management Approach

Scrutinize your cybersecurity policies and procedures. These not only reduce risk but also serve as an indicator of continuous improvement—an essential metric that investors will scrutinize.

Robust cybersecurity policies and procedures not only protect your organization but also demonstrate your commitment to proactive risk management, which investors appreciate.

Enhance Incident Response Program

In a world where security incidents are an inevitability, investing in a proactive incident response program is a necessity. Develop plans, playbooks, and disclosure statements for different scenarios. Being prepared ahead of the SEC’s requirements will empower your organization to respond effectively when an incident occurs.

Incident response is about more than just reporting. It’s about minimizing damage and maintaining trust, making it a critical aspect of cybersecurity preparedness.

Establish Confidence in Your Cybersecurity Strategy

The SEC proposed cybersecurity rules emphasize the importance of quantifying the effectiveness of your cybersecurity strategy, risk management, incident response, and governance. Invest in tools and solutions that provide measurable proof of your risk management execution holds more value for investors than mere policies or incident workbooks.

Proving the effectiveness of your cybersecurity strategy is a way to differentiate your organization from others and gain investors’ trust.

Is Your Organization Ready to Respond to the Rule?

When a cybersecurity incident occurs, organizations need to be prepared to respond swiftly. This requires a robust cybersecurity incident response plan aligned with a comprehensive governance, risk, and compliance program. Such preparations are vital for managing incidents efficiently, with agility and cohesion. The new SEC rules on cybersecurity underscore the importance of having a comprehensive response plan.

How Can Your Organization Prepare?

Ensure a Clear and Cohesive Cybersecurity Response Strategy

Organizations should have a well-defined cybersecurity governance and response strategy in place. This strategy should align with best practices and empower effective decision-making on cybersecurity risks. It should also facilitate transparent reporting of metrics to relevant stakeholders regarding risks that could impact finance, operations, or reputation.

A clear and cohesive response strategy ensures that everyone in your organization knows their roles and responsibilities in the event of a cybersecurity incident.

Review and Enhance Your Cybersecurity Risk Management Program and Processes

An effective cybersecurity risk management program is central to an organization’s response strategy. It enables organizations to determine when incidents might lead to material impacts requiring disclosure.

The risk management program helps identify the potential impact of incidents, ensuring timely and accurate disclosure.

Identify the “Crown Jewels”

Assess and identify the most valuable assets of your organization, which are prime targets for malicious actors. Understanding these “Crown Jewels” informs materiality determinations and prioritizes areas of highest criticality.

Protecting your most valuable assets is crucial and plays a key role in determining what incidents should be disclosed.

Review and Update Plans, Playbooks, and Documentation

Ensure that systems and data critical to your organization are aligned with incident response plans, playbooks, and governance documentation. This alignment positions your organization to respond effectively and comply with the new SEC reporting requirements.

Having updated plans and documentation streamlines the response process, ensuring that nothing is overlooked.

Test Operational Readiness for Cybersecurity Incidents

Conduct tabletop exercises before incidents occur to identify and address any gaps that might hinder compliance with the new regulations. These exercises should cover various aspects of processes and capabilities across the organization.

Testing readiness is a proactive approach to incident management, allowing you to identify and fix any issues before a real incident occurs.

Consider a Red Team Assessment

A Red Team Assessment realistically simulates an attack scenario in your environment. It tests your organization’s ability to prevent, recognize, and respond while identifying gaps in your network and security architecture.

A Red Team Assessment is a practical way to identify vulnerabilities and improve your security posture.

Map Your Stakeholders and Communication Channels

Create a comprehensive communication plan governing content creation and distribution to key stakeholders. This plan ensures consistent messaging and helps avoid compliance issues with the SEC.

Efficient communication is crucial during a cybersecurity incident. A well-defined plan ensures that the right information reaches the right stakeholders at the right time.

Identify Your Ecosystem of Partners

Identify external partners who assist in responding to incidents. These partners typically include legal, insurance, forensics, communications, and extortion/ransomware negotiators. Include these partners in preparation activities like tabletop exercises, and ensure up-to-date contact information and processes are captured in incident response plans.

Your external partners play a critical role in incident response, and they need to be integrated into your preparation.

Differences Between the SEC Proposal and the Final Ruling

1. Materiality Definition

• Proposal: The original proposal suggested adopting a specific materiality definition for cybersecurity incidents.
• Final Rule: The final rule refrains from introducing a cybersecurity-specific materiality definition. Instead, it emphasizes that registrants should apply materiality considerations in a manner similar to any other risk or event they face. This approach aligns cybersecurity incidents with other material events.

2. Limited Delays for Disclosure

• Proposal: The initial proposal contained a more open framework for permitting delays in disclosure.
• Final Rule: The final rule imposes limitations on when delays for disclosure are permitted. Specifically, companies may delay disclosure in two scenarios:
  • In verified matters of national security or public safety, where immediate disclosure would pose a substantial risk. However, this requires written notification from the U.S. Attorney General (AG) to the SEC.
  • For entities subject to the Federal Communications Commission’s (FCC’s) customer proprietary network information (CPNI) rule. This exception was included due to concerns about potential conflicts with existing FCC rules.

3. No Required Remediation Status Disclosures

• Proposal: The initial proposal recommended requiring disclosures regarding the status of incident remediation, whether it’s ongoing, and whether data were compromised.
• Final Rule: The final rule did not adopt this requirement. Instead, it expects registrants to assess the necessity of such disclosures as part of their materiality analyses. Companies will determine whether these details are essential based on the nature and impact of the incident.

4. No Required Disclosure of Immature Cybersecurity Incidents in Aggregate

• Proposal: The proposal suggested mandating disclosure when a series of individually immaterial cybersecurity incidents collectively become material.
• Final Rule: The final rule did not adopt this requirement. It focuses on materiality on a case-by-case basis rather than requiring disclosures of aggregated immaterial incidents. Each incident’s materiality will be assessed independently.

5. No Aggregation Requirement for Related Incidents

• Proposal: The proposal included an aggregation requirement for capturing the material impacts of related cybersecurity incidents.
• Final Rule: The final rule did not adopt this aggregation requirement. However, it extends the definition of “cybersecurity incident” to cover a “series of related unauthorized occurrences,” allowing for a broader scope of materiality assessment.

6. Rejection of Periodic Reporting Only

• Proposal: The original proposal suggested replacing Item 1.05 with periodic reporting of material cybersecurity incidents on Forms 10-Q and 10-K.
• Final Rule: The final rule rejects this idea, as it could lead to varying timeframes for investors to learn about material incidents. Instead, the final rule requires updates to prior incidents reported through Form 8-K filings to be made through a Form 8-K amendment. This ensures that all cybersecurity incident information is disclosed in current rather than periodic reports, maintaining consistency and transparency.

Summing it All Up

As the SEC’s proposed cybersecurity rules become a reality, staying ahead of the curve is your best strategy. By following these practical steps and proactively investing in cybersecurity preparedness, your organization can effectively mitigate risk and ensure compliance with the SEC.