Continuous compliance – SEC cyber disclosure requirements and the impact on the blueprint for cybersecurity

SEC’s cybersecurity risk management, strategy, governance, and incident disclosure

We are all aware that the use of digital technologies and electronic solutions in companies’ core business processes is still growing rapidly. Due to the high demand for remote working and the use of third parties for information technology services and cloud transformations, these practices pose risks, including increasing cybersecurity risks, to public companies, investors, and market participants.

Recently, cybersecurity breaches have become increasingly common as a result of geopolitics, the vulnerabilities of companies, and the third-party service providers involved. The growing frequency of cybersecurity incidents poses a higher risk of impacting the economy, damage to reputation, and decrease in shareholder value. This is why the threat of cybersecurity has become one of the top concerns of senior management and boards of directors of public companies.

Key points: SEC cyber disclosure and potential litigation

It is within this context of concern about the impact of breaches on US listings that the Securities and Exchange Commission (SEC) has finalized rules that will require public companies to be more transparent and consistent in their disclosures about cybersecurity risk management, strategy, and governance practices.

Proposed in May 2022, and finalized in July 2023, they will allow investors to make a more informed assessment of whether and how companies are managing their cybersecurity risks. Providing investors with more timely and consistent disclosure of significant cybersecurity incidents will be beneficial, given the potential impact such incidents may have on a registrant’s financial performance or condition.

And there it was … Last month, the first lawsuit was filed for failure to disclose cybersecurity risks and vulnerabilities. This will forever change the way companies deal with cyber risks. It will define a minimum standard of what good cybersecurity looks like. In any case, cybersecurity has taken a firm seat at the board level.

There are three key elements in the new SEC rules that corporate leaders should be aware of:

1. Periodic reporting in cyber incidents

The amended Form 8-K introduces “Material Cybersecurity Incidents,” compelling registrants to disclose such incidents within four business days of materiality determination. The definition encompasses unauthorized occurrences jeopardizing information systems, both internally and within third-party service providers.

Practical considerations include:

• Registrants must exercise judgment in determining the materiality of incidents.
• Related incidents may be aggregated if collectively meeting materiality criteria.
• Processes for inventorying, updating, and assessing incident materiality are crucial.

Evaluation of existing cybersecurity monitoring infrastructure is imperative

2. Cybersecurity risk management and strategy

The regulations extend disclosure requirements in annual reports, demanding a comprehensive portrayal of companies’ cybersecurity risk management and governance.

Practical considerations include:

• Evaluation and updating of cybersecurity systems and incident response plans
• Review of disclosure controls and procedures to ensure effective reporting
• Recognition of reporting delays due to national security concerns
• Enhanced governance and oversight, potentially through dedicated board committees

3. Cybersecurity governance

The final rule by the SEC acknowledges that insights into cybersecurity risk governance from both management and the board are crucial for investors to gain a comprehensive understanding.

Practical considerations include:

• Disclosures regarding the board’s oversight of cybersecurity threat risks
• Management’s role in evaluating and managing material cybersecurity risks

Why is this so important?

The unveiling of these new rules is anything but ordinary; it’s a significant expansion that will change the landscape of annual disclosures for registrants. In this evolution, investors and stakeholders alike are in for a treat. They’ll be treated to a fresh dose of standardized insight into a registrant’s cybersecurity risk management, strategy, and governance – a level of transparency that will level the playing field.

At the forefront is the disclosure of material cybersecurity incidents. These incidents, previously reported in a more general fashion, are now poised to reveal their intricacies in much greater detail. But the intrigue doesn’t end there; the timeline for reporting these incidents may just put registrants on their toes. Business as usual is no longer an option – systems, processes and controls must be adapted quickly.

Getting ahead of the clock to stay continuously compliant and secure

All registrants, with the exception of smaller reporting companies, are called to action. They must get ready to comply with the requirement to report a material cybersecurity incident, as defined. As a special nod to smaller reporting companies, they’ll get an extra 180 days to fine-tune their compliance with Form 8-K requirements.

But wait, there’s a grand finale in store. A mandate that encompasses all registrants, regardless of size or stature – the annual disclosure requirements come knocking. They make their debut with annual reports for fiscal years ending on or after December 15, 2023.

This isn’t just another chapter, it’s a chapter that aims to rewrite the script on cybersecurity transparency and accountability. It’s a chapter we’re all eager to explore – and one that we can help you prepare for from a content perspective and ensure that you stand up to the requirements ahead of schedule.

Get in touch with one of our experts here to learn more about the ruling and how we can help you operationalize and navigate the transition towards continuous compliance.