SEC’s New Cybersecurity Rules: What Investors and Companies Need to Know

On July 26, 2023, the US Securities and Exchange Commission (SEC) finalized a regulation that imposes increased transparency related to cybersecurity risk management, governance, and cyber incident disclosure. The SEC’s final rule is aimed at helping investors make informed investment decisions by providing them with information about public companies’ cybersecurity risk management. As cybersecurity becomes a cornerstone of corporate governance, investors can use a company’s security maturity as a market differentiator.

The new final rule represents a significant evolution in the SEC’s approach to cybersecurity disclosure, and a major step forward in promoting transparency and accountability in cybersecurity risk management. It provides more detailed requirements for disclosing cybersecurity risks and emphasizes disclosure of the board’s role in overseeing cybersecurity risk management. With a key focus of ensuring that companies disclose material cybersecurity information in a more consistent, comparable and decision-useful way, SEC’s new rule will likely benefit investors, companies, and the markets connecting them. It may also influence other regulators and standard-setting bodies in the US and internationally.

The rule applies to all registered companies, not just those with assets in the US. Thus, if a company files with the US SEC, any incidents affecting its global assets are also under the jurisdiction of the regulation. This means visibility needs to include threat intelligence that is localised to other geographies. Companies that are publicly traded on a US stock exchange must comply with the rule’s cyber risk management and incident disclosures starting in mid-December 2023 (or Spring 2024 for qualifying small companies).

The final rule adopts new disclosure requirements in three main areas, that are discussed below.

1. Cybersecurity Incident Disclosure

Under the new rules, publicly traded companies must disclose any material cybersecurity incident on the newly introduced Item 1.05 of Form 8-K, within four business days. This disclosure needs to describe the incident’s nature, scope, timing, and material or reasonably likely material impact on the company. It must be filed within four business days after determining the incident’s materiality. However, this disclosure can be delayed if the U.S. Attorney General determines that immediate disclosure would risk national security or public safety. The disclosure must be filed, whether the incident is contained, or not.

Implication: This four-business-day requirement is expected to be a game-changer for many public companies, requiring them to have a robust breach response process, including regular tabletop exercises that simulate how they would gather data about an incident and ultimately determine its materiality. It also underscores the need for a well-crafted communications plan to be able to diligently manage press inquiries and social media chatter that could alarm investors, shareholders, and consumers.

2. Cybersecurity Risk Management

The new rules add Regulation S-K Item 106, requiring companies to outline their processes for assessing, identifying, and managing material risks from cybersecurity threats. Companies must disclose any material effects or reasonably likely material effects of risks from cybersecurity threats and previous incidents. This requirement describes the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in handling such risks. These disclosures will be required in a company’s annual report on Form 10-K

Companies must discuss elements including:

• Existence of a cybersecurity risk assessment program;
• Engagements with third parties in connection with such a program;
• If a company has processes to oversee and mitigate material third-party service provider cybersecurity risk; and
• The potential for cybersecurity risks to impact company operations or its financial condition.

Implication: Many companies are not ready today to reveal their cyber capabilities to the extent that the new rule requires. The new rule puts the onus on companies to give investors current, consistent and “decision-useful” information about how they manage their cyber risks. Organizations will be required to invest in enhancing cyber risk monitoring capabilities and integrate cyber risk management programs with their business strategy and financial planning.

3. Board Oversight

Finally, public companies will now annually need to describe the board’s oversight of risks from cybersecurity threats and describe the processes by which the board or a board committee is informed about such risks. This represents a shift from previous guidance that focused primarily on the company’s management. As such, the board should have processes to be informed about cybersecurity risks and incidents. This includes receiving regular updates from management or the  cybersecurity team on the company’s cybersecurity risks and incidents. Additionally, the disclosure must describe management’s role in assessing and managing the company’s material risks from cybersecurity threats.

Implication: As the rule requires the boards to actively oversee cyber risk management programs, this may entail additional training for board members to understand the company’s cybersecurity risks and the measures to manage them. For many public companies, this may mean directors will have to start with board education to bring everyone up to the same cyber literacy level. Additionally, directors may want to consider taking external cybersecurity readiness courses and earning credentials, to beef up their qualifications.

How SISA Can Guide Companies Through the Compliance Journey

Given these comprehensive and technical requirements, meeting the new regulations might seem overwhelming. With its deep cybersecurity and regulatory compliance understanding, SISA can guide your company through this process, by aiding boards and management teams in crafting and executing an effective cybersecurity strategy, developing robust incident response plans, and providing training to prepare your company for potential cyber incidents. We can assist in accurately determining an incident’s materiality, gather the necessary information, and prepare Form 8-K to meet the SEC’s reporting requirements.

In conclusion, the new SEC rules mark a significant shift in corporate governance and cybersecurity, demanding more from companies but offering the opportunity to enhance their cybersecurity posture. With SISA as your partner, you can navigate these changes with confidence. We are committed to helping you strengthen your cybersecurity defenses and maintain compliance, enabling your company to stay ahead in this ever-evolving landscape, adhering to transparency standards, and fortifying stakeholder trust.