Info@NationalCyberSecurity
Info@NationalCyberSecurity

SEC Adopts Rule Regarding Cybersecurity Incident Reporting – Security | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware


The U.S. Securities and Exchange Commission (the
“SEC”) adopted new rules aimed at enhancing cybersecurity
incident reporting by public companies. Specifically, a public
company will be required to disclose:

  • in its annual report on Form 10-K or Form 20-F, its internal
    processes for assessing, identifying and managing material
    cybersecurity threats; and

  • in its periodic reports on Form 8-K or Form 6-K, any
    “material cybersecurity incident.” .

Under the adopted rules, a “cybersecurity incident” is
defined as an “unauthorized occurrence, or series of related
unauthorized occurrences, on or conducted through a
registrant’s information systems that jeopardizes the
confidentiality, integrity, or availability of a registrant’s
information systems or any information residing therein” and a
“cybersecurity threat” is defined as “any potential
unauthorized occurrence on or conducted through a registrant’s
information systems that may result in adverse effects on the
confidentiality, integrity, or availability of a registrant’s
information systems or any information residing therein.”
1

I. Disclosure Requirements

Annual Reports on Form 10-K and
20-F

New Item 1C (“Cybersecurity”) requires an issuer
completing its annual report on Form 10-K to furnish the
information required by Item 106 of Regulation S-K.

New Item 16K (“Cybersecurity”) requires an issuer
completing its annual report on Form 20-F to furnish certain
information relating to a company’s cybersecurity risk
management. The language of Item 16K mirrors the that of Item 106
of Regulation S-K.

Companies will be subject to two new annual disclosure
requirements.






Risk Management and Strategy

Under Item 106(b) or Item 16K(b) a company must describe:

(i) Its processes (if any) for the assessment, identification
and management of material risks from cybersecurity threats. This
disclosure should address:


  • how such processes have been integrated into a company’s
    overall risk management system;

  • whether a company has engaged any consultants, advisors or
    third parties in connection with its cybersecurity risk management
    system; and

  • whether a company has processes to oversee and identify any
    cybersecurity risks that may result from a company’s use of a
    third-party service provider.


(ii) Whether and how any risks from cybersecurity threats have
materially affected (or are reasonably likely to materially affect)
a company’s business strategy, results of operations or
financial condition.

Governance

Under Item 106(c) or Item 16K(c) a company must describe:

(i) How its board of directors oversees risks from cybersecurity
threats, including whether any committee or subcommittee is
responsible for the oversight of risks from cybersecurity threats
and the processes by which the board of directors or such committee
is informed about such risks.


(ii) Management’s role in assessing and handling material
risks from cybersecurity threats. This disclosure should
address:


  • which management positions (if any) are responsible for
    assessing and managing material cybersecurity risks and the
    relevant expertise of such responsible persons;

  • how management is informed about and monitor the prevention,
    detection, mitigation and remediation of cybersecurity incident;
    and

  • whether management reports information about such risks to a
    company’s board of directors or a committee thereof.


Issuers filing annual reports on Form 10-K or Form 20-F
must provide disclosure under Item 1C and Item 16K, respectively,
beginning with annual reports for fiscal years ending on or after
December 15, 2023.

Current Reports on Form 8-K and
6-K

For domestic filers, the rules add new Item 1.05 (“Material
Cybersecurity Incidents”) to Form 8-K. The new Item requires
the issuer to report any material cybersecurity incident within
four business days after determining that the incident is
“material.” The disclosure must describe:

  • the material aspects of the nature, scope and timing of the
    incident; and

  • the impact or reasonably likely impact on the company,
    including any impact on its financial condition and results of
    operations.

There are two exceptions to the reporting requirement. A company
reporting a cybersecurity incident under Item 1.05 is not required
to disclose: (1) specific or technical information about the
company’s planned response to the incident or its cybersecurity
systems, networks and technology, and (2) any vulnerabilities
thereof in such details that would impede the company’s ability
to remedy or respond to the incident. In addition, a public company
may delay disclosure of a material cybersecurity incident for up to
30 days if the U.S. Attorney General informs the SEC that
disclosure would pose a substantial risk to national security or
public safety, and this period could be extended by another 60 days
in extraordinary circumstances. The new rule also aligns with the
Federal Communications Commission’s notification requirements
regarding breaches of customer proprietary network information by
allowing a delay in reporting such an incident in order to comply
with FCC requirements.

The SEC did not define what makes a cybersecurity incident
“material.” Instead, the SEC instructs public companies
to use the same analysis as it would use for other securities law
purposes, as described in greater detail below.

Domestic issuers must be compliant with cybersecurity
incident reporting on Form 8-K by December 18, 2023.

Foreign private issuers have more flexibility in
publicly reporting material cybersecurity incidents on Form
6-K.
Foreign private issuers should be guided by the Form
8-K requirements and as with all other reporting under Form 6-K, if
a cybersecurity incident is required to be reported under a
company’s home country rules or on any stock exchange the where
the company’s securities are traded on or is otherwise provided
to security holders, the incident also is required to be furnished
on Form 6-K.

With respect to compliance with the structured data
requirements, all registrants must tag disclosures required under
the final rules in Inline XBRL beginning one year after initial
compliance with the related disclosure requirement.

II. Materiality
Determination

A public company is only required to report those cybersecurity
incidents that it deems to be “material”. The adopted
rules do not define when a cybersecurity incident is considered
“material” or provide any bright line tests. However, the
SEC provided the following guidelines and considerations for
companies when analyzing incidents and making materiality
determinations.

  • The SEC expects companies to apply the “reasonable
    investor” standard to any analysis, explaining in the final
    rule that under such standard “information is material if
    ‘there is a substantial likelihood that a reasonable
    shareholder would consider it important’ in making an
    investment decision, or if it would have significantly altered the
    ‘total mix’ of information made
    available.”1 Companies should consider both the
    immediate and long-term impacts of a given cybersecurity incident
    or breach, including effects on a company’s operations,
    financial condition, reputation, competitiveness and customer
    relationships. Companies should also consider whether the incident
    could potentially or is likely to result in litigation or
    regulatory investigation.

  • As described above, the definition of “cybersecurity
    incident” extends to “series of related unauthorized
    occurrences,” which may include repeat smaller but continuous
    cyberattacks by one actor, or a series of related attacks targeting
    the same vulnerability in company’s system by multiple actors.
    In such scenarios, the actions collectively may have a material
    impact on the company.

  • Not all cybersecurity incidents result in quantifiable harm,
    however, the SEC notes that unquantifiable harms to employees,
    customers, individuals, third parties or a company’s reputation
    could result in a determination that the incident was
    material.

  • The SEC has also stressed that the fact that the incident did
    not occur on a company’s internal systems does not mean an
    incident is immaterial for reporting purposes. Therefore, a breach
    occurring on a third-party system that housed the company’s
    data could still be considered material to the company.

Foreign private issuers required or choosing to report any
cybersecurity incident on Form 6-K should consider the same
guidelines in their materiality determinations.

III. Practical Suggestions for
Compliance

While reporting under the adopted rules will not impact
companies until the end of the year, we recommend issuers begin
preparing for the reporting requirements by considering the
following:

Establish an Incident Detection and Response
Plan

  • A company should establish or update its incident response plan
    to: (1) identify potential cybersecurity incidents; (2) contain,
    remedy and respond to incidents; (3) assess the materiality of such
    incidents (both individually and in the aggregate); and (4)
    disclose material incidents (if relevant or necessary).

  • If a company engages third-party providers, it should ensure
    that there is sufficient communication between management and
    representatives of that third-party provider, as well as an
    established plan of action for detecting and remedying
    cybersecurity breaches on the providers’ system, so as to avoid
    any cybersecurity threats or incidents being left undetected.

  • A company’s incident response plan should be distributed to
    company management and board of directors.

Record Keeping

  • In view of the short time period between a registrant’s
    determination that an incident is material and the requirement to
    report that incident on a Form 8-K for domestic issuers (and, in
    certain instances, on Form 6-K for foreign private issuers),
    company management assigned to cybersecurity oversight procedures
    should carefully document relevant dates including, but not limited
    to, the cybersecurity breach, remediation of such breach and
    determination of materiality (or immateriality). It is important
    and best practice to establish and maintain a cohesive timeline for
    any material incidents for internal record keeping purposes, as
    well as any public reporting purposes. Companies should take
    necessary steps to keep any such communications confidential.

Establish a Board of Directors Risk Management
Program

  • A company should establish or update the board of
    director’s risk management program/plan to ensure it
    encompasses cybersecurity issues, including cybersecurity incident
    detection and reporting, as relevant to the newly adopted SEC
    rules. A company should also consider assigning risk management of
    cybersecurity issues to a relevant committee of the board of
    directors, such as a corporate governance committee (if already
    established).

Draft Required Disclosures for Inclusion in Next
Annual Report

  • Once a company is near the end of its fiscal year, it should
    prepare the relevant disclosure to include in its annual report.
    Seward & Kissel LLP is available to assist in drafting and
    reviewing such disclosure.

Footnotes

1. These terms are defined in new Item 106(a) of
Regulation S-K, as adopted by the SEC.

2. Quoting TSC Industries, Inc. v. Nortway, Inc.
(426 U.S. 438, 449 (1976)).

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

——————————————————-


Click Here For The Original Source.

National Cyber Security

FREE
VIEW