Wall Street’s top regulator, the US Securities and Exchange Commission (SEC), voted on a new set of rules to require registrants, including publicly traded companies and foreign private investors, to disclose cybersecurity incidents they experience within four business days after they determine that a cybersecurity incident is material. Registrants are also required to report ransomware payments within 24 hours and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.
“Many public companies provide cybersecurity disclosure to investors,” said SEC Chair Gary Gensler, acknowledging that public companies report material cyber incidents under the current rules. However, Gensler noted that SEC staff have observed that this level of reporting has not resulted in sufficiently consistent, comparable, and useful disclosure. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way,” he said.
SEC Commissioner Jaime Lizarraga said that the reporting rule regarding risk management, strategy, and governance will “strengthen the quality, consistency, and timeliness of cybersecurity-related disclosures to investors,” noting that the SEC currently has “zero disclosure requirements that explicitly refer to cybersecurity risks, governance or incident reporting.” He added that by “clarifying what companies must disclose, the rule will provide investors with more certainty and easier comparability. This will reduce the risk of adverse selection and the potential mispricing of a company.”
Initial reaction by the investor community, as well as many cybersecurity vendors, appears positive. Lesley Ritter, senior vice president for Moody’s Investors Service, said, “The cybersecurity disclosure rules adopted by the US Securities and Exchange Commission earlier today will provide more transparency into an otherwise opaque but growing risk, as well as more consistency and predictability,” She added that “Overall, the rules are credit positive for public companies that are subject to SEC reporting requirements, as disclosures are useful to compare how companies, particularly those with elevated cyber risk, are addressing these challenges.”
The following sections summarize some of the highlights in the SEC’s 186-page new rules slated for publication in the Federal Register over the coming days:
Incident disclosure
The Commission’s new rules, which it describes as more narrow than those first floated in March, will require registrants to disclose within four days on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.
The SEC says the four-day window for reporting cyber incidents has been “streamlined” from the March proposal to focus on the materiality of the incident. In its final rules, the SEC says, “Some companies already disclose material cybersecurity incidents while they are ongoing and before they are fully remediated, but the timing, form, and substance of those disclosures are inconsistent. To that end, and to balance investors’ needs with the concerns raised by commenters, we are streamlining Item 1.05 to focus the disclosure primarily on the impacts of a material cybersecurity incident rather than on requiring details regarding the incident itself.”
In determining whether an incident is material, the SEC points to the incident’s impact on the registrant’s financial condition and results of operations. However, the Commission is not limiting materiality to financial impact alone. “The rule’s inclusion of ‘financial condition and results of operations’ is not exclusive; companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident,” such as reputational damage or the prospect of regulatory backlash.
In an additional departure from the rules proposed in March, the SEC has scrapped its requirement that registrants report incident detailed impact and remediation status, which many commenters said might expose too much information to threat actors. “While some incidents may still necessitate, for example, discussion of data theft, asset loss, intellectual property loss, reputational damage, or business value loss, registrants will make those determinations as part of their materiality analyses,” the final rule states.
Moreover, the SEC has added an instruction to Item 1.05 to provide that a “registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks, and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”
The SEC says registrants must include those third-party or supplier incidents in their reports. “We are not exempting registrants from providing disclosures regarding cybersecurity incidents on third-party systems they use, nor are we providing a safe harbor for information disclosed about third-party systems.”
The SEC says registrants may delay disclosure by 30 days if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. This delay may be extended for up to an additional 30 days if the Attorney General determines disclosure continues to pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.
In “extraordinary circumstances,” disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the Commission of such determination in writing. Beyond the final 60-day delay, if the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant them.
Finally, the rules require disclosure of whether a registrant engages assessors, consultants, auditors, or other third parties in connection with their cybersecurity. The SEC says it believes it is essential for investors to know a registrant’s level of in-house versus outsourced cybersecurity capacity.
Processes for assessing, identifying, and managing material risks from cybersecurity threats
In terms of risk management, strategy, and governance, the rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
The rules spell out a list of non-exclusive elements that registrants should include in these descriptions, including:
- Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant’s overall risk management system or processes
- Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes
- Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider
The SEC encourages registrants to disclose whatever additional information is necessary for a reasonable investor to understand their cybersecurity processes.
Management’s role in assessing material risks
Item 106 of the SEC rules also requires registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. The SEC requires these disclosures in a registrant’s annual report on Form 10-K.
The SEC directs registrants to consider the following in reporting on management’s assessments of risks:
- Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise
- The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents
- Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors
Relationship to other incident reporting requirements
Several other federal government agencies and all US states have established or are formulating their own cybersecurity incident reporting requirements. In its final rules, the SEC says it considered potential conflicts with these other reporting requirements, including upcoming incident reporting requirements from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Communications Commission (FCC).
The Commission said that if a conflict arises in the future with CISA regulations or regulations of another federal agency, the Commission can address such conflict via rulemaking or other action at that time. It also noted that it participates in interagency working groups on cybersecurity regulatory implementation. It will continue to monitor and determine if modification of its rules is necessary should any future developments warrant that action.
Regarding CISA’s upcoming rules, the SEC stresses that reports submitted to CISA will remain confidential and won’t help the SEC’s mandate to protect publicly traded companies’ shareholders.
The SEC acknowledges that its rules are in conflict with those the FCC currently has in place for telco data breaches affecting customer proprietary network information (CPNI), which requires the carriers to notify the US Secret Service (USSS) and the FBI no later than seven business days after the reasonable determination of a CPNI breach and refrain from notifying customers or disclosing the breach publicly
until seven business days have passed following the notification to the USSS and FBI.
To accommodate registrants who might be subject to the FCC’s rules, the SEC allows such registrants to delay, with written notification to the Commission, making a Form disclosure up to the seven-business-day period following notification to the USSS and FBI.
Definitions for SEC’s incident reporting rules
The SEC’s new rules offer the following definitions to frame registrants’ reporting requirements:
- Cybersecurity incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
- Cybersecurity threat means any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein Information systems means electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.
Effective date of the new SEC reporting rules
The SEC’s final rules will become effective 30 days following publication in the Federal Register. The Form 10-K and Form 20-F disclosures for foreign private issuers will be due beginning with annual reports for fiscal years ending on or after December 15, 2023.
The Form 8-K and Form 6-K for foreign private issuers disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.