New SEC Cyber Disclosure Rules Prioritize Policy and Procedure Transparency

 

Key Changes and Tips to be SEC Ready

August 1, 2023

Image
new-SEC-rules-website-list-image.jpg

SEC Cyber Disclosure Rules LinkedIn Live Flash Panel

 

Unpack the Securities and Exchange Commission's cybersecurity disclosure ruleset and learn how your organization can ensure compliance.

 

For the past 15 months, I’ve been helping public organizations prepare to comply with the U.S. Securities and Exchange Commission’s (SEC) proposed cybersecurity disclosures and incident management procedures for commission registrants. Those proposed rules are now finalized and about to become a reporting reality later this year (90 days after their publication in the Federal Register or by December 18 – whichever comes first). Regardless of where you are in your own readiness, here is an overview of the key changes in the finalized ruleset and guidance on what to do next.

 

 

Key Changes

As I shared last year, organizations will be required to publicly disclose incidents within four business days of the date that the incident materiality is determined to be of significant interest to investors. The finalized SEC regulations include the following changes:

 

  • Timeline: Once the adopted rules are published in the Federal Register, publicly traded companies have 90 days to comply with the revised cybersecurity incident reporting requirements (Form 8-K and Form 6-K). For the adopted disclosure requirements, companies with a fiscal year ending on or following December 15, 2023, will need to follow the updated ruleset for their next annual report (Form 10-K). Smaller organizations may have extensions of 180 days to comply with the new rules and regulations, allowing for adequate lead time to prepare their disclosure processes with more limited resources.
  • Delays: Organizations can extend the four-day timeline if the U.S. Attorney General confirms that the rapid public disclosure of an incident may “pose a substantial risk to national security or public safety.”
  • Scope Narrowing: When completing item 1.05 of Form 8-K, organizations should focus on disclosing the nature, timing and potential impact of an incident.
  • Board Expertise: The final rule removes a proposed regulation that companies must disclose the cybersecurity expertise of their board of directors in annual reports. Without this requirement, which would have provided more incentive to include a CISO on the board, the C-suite (particularly the CISO) is responsible for informing the board of cyber incidents.
  • Process Simplification: Registrants are no longer expected to go beyond their standard third-party communications and disclosure reporting processes. Annual reporting should therefore focus more on explaining these overall processes rather than listing specific procedures.

 

 

Next Step Guidance

Looking deeper into the finalized regulations in comparison with the 2022 proposal, I recommend the following guidance to organizational leaders:

 

Develop a repeatable process and plan for identifying, determining and ratifying the meaning of materiality. The four-day disclosure timeline begins once an organization determines the materiality of an incident. However, the concept of materiality has significantly changed between the submission of the SEC’s 2022 proposal and the 2023 final rule. Materiality was initially assumed to be the quantitative business impacts determined from a reasonable investor standpoint. Companies are now obligated to describe the timing of incidents and the likely impact of incidents on victims, as well specifically consider qualitative factors such as reputational harm. Organizations therefore have limited time to align on a clear and succinct understanding of materiality. When devising and implementing an incident management plan, business leaders (including the CFO) should establish a 30-60-90 day plan for determining materiality in a timely, repeatable manner. It is important to consider not only the quantitative metrics that contribute to an organization’s materiality threshold, but also qualitative ones impacting its brand and reputation.

 

Ensure the board of directors is capable of cybersecurity risk management. Regulation S-K Item 106(c) of the final rule requires an organization to disclose information on the board’s cybersecurity risk oversight and the role of management in material risk assessment and management. Although opinions may differ on the SEC’s final rule to streamline the CISO, board and governance roles of risk management, the key takeaway is that cybersecurity risk is business risk. Boards are responsible for risk management, and cyber risk should be considered part of the overall systemic risk for any publicly traded company. Organizations need to provide effective, continuous cybersecurity training and risk reporting to their board so that they stay informed of the latest threats and are equipped to make cyber risk management decisions.

 

Account for third-party and supply-chain vendor management in company policies and risk reporting. Vulnerabilities from supply-chain software and other third parties, such as service providers, are continually reported as significant threat vectors. It is therefore understandable that the SEC seeks to better understand the material risks that come with a reliance on third parties for products and services. If a threat actor exploits a vulnerability in a third-party software or platform to steal an organization’s data, for example, then it is the responsibility of both the third and end parties to disclose the incident. It is recommended that organizations understand how third-party suppliers define materiality, as there will be discrepancies.

 

Given the rapid pace at which cyber incidents escalate, the SEC is making a long-awaited first attempt to produce comprehensive cybersecurity disclosure regulations. The final rule answers the public call to action to provide greater transparency for shareholders and the overall market.

Adam Wisnieski
Director, Strategy & Transformation | Optiv
Adam is responsible for development and delivery of cybersecurity programs and integrated risk management services to Optiv clients. His years of global risk management, technology and process consulting experience helps develop realistic, well-grounded cybersecurity programs that span operational, cybersecurity, regulatory, financial and strategic risk elements.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Would you like to speak to an advisor?

How can we help you today?

Image
field-guide-cloud-list-image@2x.jpg
Cybersecurity Field Guide #13: A Practical Approach to Securing Your Cloud Transformation
Image
OptivCon
Register for an Upcoming OptivCon

Ready to speak to an Optiv expert to discuss your security needs?