What To Know About The SEC’s New Rules on Cybersecurity Risk Management

I. Introduction

On July 26, 2023, the Securities and Exchange Commission (SEC) announced that it had adopted new rules related to cybersecurity incident disclosures that require the registrants to improve and standardize the communication of information related to cybersecurity risk management, strategy, governance, and incidents among public companies obligated to comply with the reporting mandates outlined in the Securities Exchange Act of 1934 (“Final Rules”).

Per these rules, all registrants must appropriately disclose all relevant material information related to the cybersecurity incident within four working days of its determination on Form 8-K, and describe details of risk management, strategy, and governance in place in their annual reports on Form 10-K. All foreign private issuers would also be subject to similar requirements.

While most organizations do provide similar disclosures, these new rules aim to streamline this practice and provide a consistent and comparable way to benefit the investors, companies, and the markets.

II. Important Definitions

A. Cybersecurity Incident

Cybersecurity Incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein.

B. Cybersecurity Threat

Cybersecurity threat means any potential unauthorized occurrence on or conducted through a registrant's information systems that may result in adverse effects on the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein.

C. Information Systems

Information Systems means electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant's information to maintain or support the registrant's operations.

III. Disclosure Requirements

The Final Rule introduces certain obligations for registrants concerning cybersecurity incidents by adding new requirements under item 1.05 of Form 8-K and item 106 of Regulation S-K.

Reporting Material Cybersecurity Incidents

The SEC’s final rule amended Form 8-K to add item 1.05, “Material Cybersecurity Incidents,”  which requires the registrant to file Form 8-K within four (4) business days from the date on which the registrant determines the incident is considered material to the registrants.

Under Form 8-K, Item 1.05, a registrant must disclose the following information about the cybersecurity incident if known at the time of the filing:

• The material aspects of the nature, scope, and timing of the incident.
• The material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.
• The instructions to Item 1.05 further explain that a registrant is not required to include specific or technical information in its disclosures that could affect its incident response or remediation or reveal potential system vulnerabilities.

The registrant must also provide disclosures if any of the above required information is not determined or unavailable at the time of the filing. A registrant would need to seek to obtain such information without unreasonable delay and file an amended Form 8-K containing the information within four business days of when the information is determined or becomes available.

An amended Form 8-K may similarly be required if the registrant subsequently determines that information previously provided is inaccurate or materially misleading.

A registrant may delay the filing the Form 8-K if the US Attorney General ‘determines immediate disclosure would pose a substantial risk to national security or public safety. A registrant must notify the SEC of such determination in writing and can delay the disclosure as follows:

• Up to 30 days after the date on which the registrant was otherwise required to provide the disclosure.
• The Attorney General can authorize an additional delay of up to 30 days if the risk persists. In extraordinary circumstances, a further extension of up to 60 days can be granted.
• Final extension for an additional period of 60 days under extraordinary circumstances.
• Beyond the final 60-day extension, if the Attorney General deems further delay necessary, the SEC may grant additional delays through an exemption order.

Annual Disclosure

The final rule adds Item 106, “Cybersecurity,” to Regulation S-K. Disclosure required by Item 106 is to be provided in Part I of Form 10-K in Item 1C, “Cybersecurity.”

A. Risk Management and Strategy

Item 106(b)(1) requires a registrant to include a comprehensive disclosure of its processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, including:

• Whether and how any such processes have been integrated into the registrant's overall risk management system or processes;
• Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
• Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.

Moreover, the registrants must also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.

B. Governance

Item 106(c)(1) requires a registrant to provide specific disclosures about the oversight of cybersecurity risk by its board of directors, including:

• A description of the board’s oversight of risks from cybersecurity threats.
• Identification of any board committee or subcommittee responsible for oversight of risk from cybersecurity threats (if applicable).
• A description of the processes by which the board or such committee is informed of risk from cybersecurity threats.

C. Disclosure of Management’s Responsibilities

Item 106(c)(2) requires a registrant to disclose how management assesses and responds to material risks from cybersecurity threats, including, but not limited to:

• Whether and which management positions or committees are responsible for assessing and managing such risks and their relevant expertise.
• The processes by which such persons or committees (monitor cybersecurity incidents).
• Whether and how management reports cybersecurity information “to the board of directors or a committee or subcommittee of the board of directors.

The registrant must provide the information required by Item 106 in an Interactive Data File in accordance with Rule 405 of Regulation S-T and the EDGAR Filer Manual.

IV. Compliance Dates

The final rule became effective on 5 September 2023. Regarding the disclosures outlined in Item 106 of Regulation S-K and Item 16K of Form 20-F, all registrants are required to disclose such information in annual reports for fiscal years ending on or after 15 December 2023.

Concerning compliance with incident disclosure requirements in Item 1.05 of Form 8-K and Form 6-K, all registrants, except smaller reporting companies, must commence compliance on 18 December 2023. Smaller reporting companies are granted an additional 180 days beyond the compliance date for non-smaller reporting companies, initiating compliance with Item 1.05 of Form 8-K on 15 June 2024.

V. How Does It Affect Organizations

The disclosure requirements themselves are relatively straightforward. In essence, public organizations are expected to be transparent about their cybersecurity practices and any incidents that may impact their cybersecurity, giving investors, markets, and any other stakeholders greater context related to the organization’s security posture.

However, for organizations themselves, it represents a highly sensitive issue. Primary, this has to do with most organizations adopting a highly secretive approach to their cybersecurity practices. The extent of transparency required by these new rules will leave most organizations’ cyber risk management, strategy, and governance practices open to public view.

Complying with these new rules will also require organizations to devote significant resources to proper documentation and reporting that had previously taken a more discreet approach to such reporting. This will have to be followed by investments in the implementation of systems and processes that deliver more efficient means of detecting, analyzing, and reporting such incidents. Skilled cybersecurity personnel and professionals will have to be hired to oversee such changes in addition to their training. All of this will lead to increased costs and, more importantly, operational complexities for organizations.

The latter represents an existential problem for small businesses. The new disclosure requirements do provide them an extended leniency in the time required to comply with these requirements. Still, sooner or later, they will have to undertake the aforementioned measures just the same.

Additionally, these new rules will bring greater scrutiny from investors, regulators, as well as the general public. Similarly, per the new disclosure requirements, organizations are expected to be as thorough as possible, explicitly highlighting defects in their cybersecurity posture that allowed for a breach in the first place. This can have dire consequences for investor confidence, market valuations, and the organization’s public reputation, further highlighting the importance of a robust digital risk management infrastructure.

VI. How Securiti Can Help

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. It also gives organizations access to several vital modules and functionalities to ensure compliance with any major data-related obligations they may be subject to.

In this particular instance, the Data Breach Analysis functionality will prove highly beneficial. Organizations can leverage this solution to automate a thorough data breach analysis before or after an incident to gain clear insights into the data breach radius, its financial impact on the organization, and global regulatory obligations the organization is subject to.

These insights can then be used when preparing the organization’s annual report to provide all relevant stakeholders with the appropriate information related to a potential cybersecurity incident as well as all the countermeasures undertaken in its immediate aftermath.

Request a demo today and learn more about how Securiti can help you comply with SEC’s new rules, in addition to several other major data regulations from across the world.