Last Updated on March 16, 2023
On March 9, 2022, the US Securities and Exchange Commission (SEC) proposed sweeping new rules (available here) to standardize and improve public companies’ disclosures on cybersecurity incident reporting, governance, risk management and overall strategy. The proposed new rules follow one month after a similar SEC bid to upgrade cyber reporting obligations for investment advisors and funds. If approved, the SEC could assert a stronger influence on publicly traded companies’ cybersecurity programs.
The new rules would put notable security obligations on public companies, especially around incident reporting requirements. The intent of the proposed rules is to make cybersecurity disclosure practices more consistent, and overall give investors more complete and timely information about a company’s security. The public comment period on the proposal extends through May 9, 2022.
The summary of the proposed rule as published in the Federal Register reads:
The Securities and Exchange Commission (“Commission”) is proposing rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, we are proposing amendments to require current reporting about material cybersecurity incidents. We are also proposing to require periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk. Additionally, the proposed rules would require registrants to provide updates about previously reported cybersecurity incidents in their periodic reports. Further, the proposed rules would require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (“Inline XBRL”). The proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.
Reporting material incidents within four days
One of the most impactful proposed changes would be to amend Form 8-K to require firms to disclose information about a material cybersecurity incident within four business days after making the determination that a material cybersecurity incident has occurred. The disclosure countdown starts with recognizing the incident was material, not when it was initially noted.
When is a security incident “material”?
If approved, the rules will require companies to thoroughly assess whether a “reasonable investor” would conclude that a cybersecurity incident is “material” based on its specific circumstances. The process should not be a “mechanical exercise” but should evaluate the sum of the relevant facts, observations and qualitative factors, including the probability of a risk manifesting and the impact if it did. When in doubt, disclose. Definitive, readable SEC guidance on assessing materiality is available here.
Proposed periodic reporting requirements
Besides the proposed changes for reporting new cyber incidents, the March 9 proposal includes new requirements to disclose updates to previously reported cyber incidents, as well as disclosure around cyber incidents previously not deemed material individually that become material when viewed collectively.
Some examples of events or findings that might need to be disclosed under the proposed new rule include new information about the scope of the incident and its impacts on data, and/or new information about the impacts of the incident on operations, including disclosing incident remediation steps and/or plans.
Example update drivers shared by the SEC include:
- Any material impact of the incident on the registrant’s operations and financial condition
- Any potential material future impact on the registrant’s operations and financial condition
- Whether the registrant has remediated or is currently remediating the incident
- Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident and how the incident may have informed such changes
An example disclosure about individually nonmaterial cyber incidents that “become material in the aggregate” could include multiple small but continuous attacks by the same or different malicious actors.
Proposed cyber risk management disclosures
The new proposal also requires regulated companies to disclose information about their cyber risk management program and strategy, as well as their governance of cyber risk, including senior management’s oversight of the process. This includes disclosing policies and procedures to identify and mitigate a wide range of cyber threats. Examples include:
- Whether the company has a risk assessment program
- Activities to detect and prevent cyber incidents
- How cyber risk is viewed as part of the company’s business strategy
- Whether the company has a chief information security officer (CISO) or equivalent
Disclosure of board cyber expertise
The SEC has also proposed a requirement to disclose any cybersecurity expertise on the part of a company’s board, including the name of the board member and a full description of his or her cyber expertise, e.g., prior work experience, information security degrees/certifications, experience with security policy analysis, and so on.
The new proposed rules would also require cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (“Inline XBRL”). This would include block text tagging of narrative disclosures, plus detail tagging of quantitative amounts within the narrative disclosures.
During the public comment period, impacted organizations should at minimum evaluate what is needed for compliance with the proposed rules. For example, check if the decision-making process on whether an incident is material is built into incident response plans. Another question to ask is whether your risk assessment practices and your board’s role in cybersecurity are formally described.
Overall, this is another call from regulators to assess whether your policies and procedures are sufficient to manage cyber risk at a time of heightened stakeholder awareness and demands, or if changes should be made.
If you’re concerned about whether your current policies and procedures are adequate for compliance with the proposed new SEC rules, or if you would benefit from expert support to help align your risk assessment program and cyber controls with the new rules and holistic best practice, contact Pivot Point Security.