Publicly traded companies will soon be subject to new disclosure requirements around how they manage their cybersecurity risk and strategy, and they’ll have a short window of time to disclose any material cybersecurity incidents that strike. Companies need to figure out now how they will comply with the new Securities and Exchange Commission disclosure requirements, which will appear in their next annual reports, and come up with a process for responding quickly when a cyber incident occurs—after all, that’s when companies go into crisis mode and there won’t be time then to debate what to do. Here’s what to know about the new SEC rules and how to come up with a process that you can follow under a time crunch.
What Are the New SEC Cybersecurity Disclosure Rules?
A general overview: The final rules adopted by the SEC on July 26, 2023, require public companies to disclose any material cybersecurity incidents within four days. They also need to disclose their cybersecurity risk management, strategy, and governance in their 10-Ks (starting with their annual report for the fiscal year ending on or after December 15, 2023). The rules apply to all types of periodic filers including domestic registrants, foreign private issuers, smaller reporting companies and emerging growth companies.
A Closer Look at the New SEC Cybersecurity Disclosure Requirements
Let’s look more closely at the “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” rules:
8-K filings when a material cybersecurity incident occurs. This filing must be made within four business days of determining that an incident is material. Registrants must determine the incident’s materiality “without unreasonable delay” after they’ve discovered it.
The materiality evaluation should include all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors. Included in the filing will be the material aspects of the incident’s nature, scope, and timing, and the impact or “reasonably likely” impact.
Compliance with the new 8-K disclosures depends on company size: Registrants other than smaller reporting companies need to follow this rule starting December 18, 2023, while smaller reporting companies get an extra six months to comply.
10-K disclosures. For their next annual reports, registrants will need to describe their processes for assessing, identifying and managing material risks from cybersecurity threats. They also should describe whether risks from cybersecurity threats have materially affected the company.
Another significant change is the need to describe the board of directors’ oversight of risks from cybersecurity threats along with which management positions are responsible for assessing and managing material risks from cybersecurity threats.
Preparing for the 8-K Cybersecurity Disclosures
You need to put a process in place now so you will be prepared to meet the SEC reporting requirements when a material cybersecurity incident happens. This process should address who will be alerted when something happens and who is involved in determining materiality. When are key stakeholders brought into the loop (i.e., how is the finance organization and legal informed)? How will materiality be determined and by who?
The determination should not be solely based on what damage has occurred so far but also what the potential damage could be. While you’ll know now that you may need to offer credit monitoring service to users, for example, along with the immediate costs associated with the breach, what are the long-term effects that the incident could have on your customers? Will they become mistrustful and switch companies, potentially costing a significant loss in revenue for your business?
Start gathering pertinent information now, to think through these issues, and have a process for reporting an incident if it rises to that level. What steps need to happen before your company submits the 8-K, and how can this process be as efficient as possible to ensure it happens within the four-day window?
To begin, think through the following questions:
- Does your cybersecurity incident response process capture quantitative and qualitative factors to make materiality conclusions?
- Has your organization defined what it considers crown jewels?
- Is senior management—across the organization, not just IT—able to make timely decisions on materiality of cyber incidents? Is training necessary?
- Can your cybersecurity incident response process aggregate materiality of several related incidents?
- Is there a process to ensure the financial reporting team can file 8-K disclosure within four days of materiality determination? Can your cybersecurity incident response process capture incidents reported by your third-party service providers? How can you obtain information from your service providers to draw conclusions on the materiality of their cyber incidents on a timely basis?
Preparing for the New 10-K Disclosures
There’s a lot of new information to share here—while you will want to be transparent to satisfy the new rules, you also do not want to build a roadmap that hackers could follow. Input across the organization is critical to get this process going, and time is limited.
Risk management and strategy disclosures. You are required to describe your process for assessing, identifying, and managing material risks from cybersecurity threats, as well as
whether any risks from cybersecurity threats—including those that arose from any previous cybersecurity incidents—have materially affected or are reasonably likely to materially affect
your company. You should start drafting the disclosure and address any potential gaps in the process now. The process disclosed needs to reflect reality so that you will be able to demonstrate you followed this process in case of an incident.
Cybersecurity governance. Disclosures should mention whether management of cybersecurity risk is integrated within the company’s overall risk management program. What is your process for keeping the board or board committee informed about cybersecurity risks, and what is the company’s strategy to mitigate those risks? Do you have appropriate expertise (either in-house or through third parties) to effectively monitor and manage cybersecurity risk? Does your board and executive leadership feel prepared to make decisions related to cybersecurity risks?
SEC Cybersecurity Disclosures: Time to Comply Begins Now
Asking the questions above and thinking through the issues raised in the SEC’s rules could make your company’s reaction time when a material cybersecurity incident occurs more efficient while also ensuring that it’s prepared to meet SEC compliance requirements. Outside experts who understand the nuances involved with these requirements and best practices for following them can provide fresh perspective as your company looks to make any improvements or develop new processes.
As a RoseRyan consultant, Pankaj Jalan is an IT and SOX controls specialist. Previously he was Security and Controls Director at PepsiCo, and he worked at Deloitte for over a decade.