All public companies are required by federal law to report and disclose security breaches and incidents to the Securities and Exchange Commission (SEC) as a matter of transparency. But the SEC cybersecurity disclosure requirements are changing and strengthening, something corporate and technology leaders need to be aware of so they can implement processes to more quickly and accurately disclose incidents, risk management policies, and oversight at the board of director level.
Any responsible company already has processes and best practices in place for cybersecurity disclosures to the SEC and any other relevant regulatory bodies. Moving forward, public corporations will need to enhance and standardize these disclosures, provide details on the strategies used to thwart breaches, and do so in a timely manner.
Here’s everything you need to know about the SEC’s new disclosure requirements, how to prepare for enforcement, and technology tools that will aid in your compliance efforts.
- Who does the newly proposed SEC cybersecurity rule impact?
- What do I need to know about the SEC cybersecurity rule?
- How can companies prepare for new SEC cybersecurity enforcement?
Who does the newly proposed SEC cybersecurity rule impact?
The new SEC cybersecurity rule is designed to provide the public with additional transparency on company breaches when they occur, and provide timely notification of cybersecurity incidents. Because compliance and cybersecurity are so closely intertwined, the SEC's rule change will affect several different parties, including:
- Investors who will be better informed about risks, security measures, and responses
- Executives who will need to strengthen their security, detection, and reporting processes
- Boards of directors who will need to enhance their oversight of cybersecurity
- Infosec teams who will need to strengthen their breach detection and reporting capabilities
What do I need to know about the SEC cybersecurity rule?
The SEC’s new rule requires public companies to report material cybersecurity incidents within four business days after determining that an event has occurred. Companies must also provide periodic updates of previously reported cybersecurity incidents and share their cybersecurity risk management policies and procedures. Companies will now be required to disclose some of the following bullets on their 10-K, related to their risk-management policies:
- Outline and description of their cybersecurity risk program
- How they engage with third-party assessors or consultants
- Measures for cyber incident prevention, detection, and mitigation
- Business continuity and recovery procedures in the event of a breach
- How cybersecurity risk might impact the company’s financials
- Business strategy and planning related to cybersecurity risk
Companies need to also disclose all cybersecurity governance practices as well as cybersecurity expertise that exists on the board of directors.
With 68 percent of business leaders saying their cybersecurity risks are increasing, the SEC has good reason to install new regulations that serve to inform investors and the public of attacks on public companies and corporations. While corporate disclosure practices have improved in recent years, the new regulation is designed to address lingering inconsistencies with how investors are informed about breaches and add consistency to overall risk management.
This comes on the heels of high-profile ransomware attacks on mega-corporations where public companies were forced to pay large sums of money to hackers, suffering massive reputational damage that impacted investors. Once the proposed regulation is approved, the changes will appear on SEC.gov and the Federal Register for comments and feedback. The primary administrative impact will be on forms 6-K and 8-K.
Incident reporting: What information needs to be disclosed?
One of the main reasons for the proposed change is that the SEC noted some incidents were reported in the media but not disclosed by the affected companies in their periodic filings. Additionally, the SEC found that when disclosures were made, the nature and thoroughness of those reports were either inconsistent or incomplete.
To create a uniform expectation regarding the timing and substance of disclosures, the SEC is proposing the following requirements as it relates to breach reporting:
- Disclose when the breach took place and whether or not it’s ongoing
- Provide a brief description of the nature and scope of the incident
- Provide information on any stolen, altered, accessed, or unauthorized use of data
- Disclose the overall effect and impact of the incident on the company’s operations
- Report whether or not the company has remediated, or is remediating, said incident
Incident reporting: What types of events need to be reported?
The new rule would not be triggered by a cybersecurity incident itself, but rather by the material determination by the company that a breach has taken place. Below are a few key examples of the main types of events that the new rule would cover:
- Any incident that compromised confidentiality, integrity, or availability of an information asset. This could be an accidental insider threat in which an employee mistakenly exposed information, or could result from a malicious external attack.
- An unauthorized incident that caused degradation, interruption, or loss of control or damage to the operational technology system. This could be a network outage due to a cyberattack or even the consequence of a natural disaster.
- If an unauthorized party accesses, steals, or alters sensitive data categories, such as personally identifiable information, business plans, or intellectual property that results in loss or liability to the company.
- Ransomware or other similar attacks when a malicious actor is offering or threatening to sell sensitive information. For example, stolen customer credit card numbers are offered for sale on the dark web.
- Incidents in which a hacker or a malicious attacker is demanding payment to restore lost or stolen data. These are primarily ransomware attacks, leading to companies forking over large cryptocurrency payments for data or to have system operationality restored.
While this is not an exhaustive list, the main point above is that companies themselves are responsible for making a material determination of an attack or breach and then reporting it within four business days to investors and regulators after that determination is made.
Periodic disclosure: What are the important disclosure dates?
The new SEC cybersecurity disclosure requirements will mandate public companies to provide periodic updates about previously disclosed cybersecurity incidents when a material change, addition, or update has occurred. This is in addition to originally disclosing the incident within four business days of the material determination. If a series of previously undisclosed, immaterial cybersecurity incidents becomes material at any point, the company will need to disclose these incidents in its next filed periodic report.
The SEC proposal would also require significant disclosures about a public company's policies and procedures in place to identify and manage cybersecurity risks. Specifically, the proposed rule would require public companies to disclose "in such detail as necessary to adequately describe the registrant's policies and procedures, if it has any, for the identification and management of risks from cybersecurity threats.” Companies will be required to divulge these risk management measures on an ongoing basis in their public filings.
How can companies prepare for new SEC cybersecurity enforcement?
Although the SEC cybersecurity proposed rule changes have not been made official, companies can and should take steps to prepare for the potential rule enforcement. For the most part, companies will need to focus on their current cybersecurity technology stack, policies, and breach response procedures.
It’s also important to note that breaches that may happen because of weak endpoint security are not material under these changes, however implementing strong endpoint measures is still critical to a strong overall cybersecurity posture. Below are some key tips and steps that will help you prepare for the new SEC disclosure requirements should they be codified.
1. Revisit cybersecurity policies and procedures
It’s important that companies revisit their cybersecurity policies to ensure that they provide effective disclosure controls and procedures, including communication between the infosec team, those responsible for cybersecurity, and the legal team. These policies and channels of communication will be core to the prompt assessment and escalation of detected cybersecurity incidents. Reviewing and updating policies will provide the right process, oversight, and compliance with new disclosure requirements.
2. Review board oversight structures
While your company may already include disclosure in the board’s role in overseeing cybersecurity risk in their proxy statements, proposed rule changes introduce a broad set of board-related topics that will need to be addressed. Boards that have not delegated responsibility for overseeing cybersecurity disclosures to a specific committee will need to consider whether it’s an appropriate step to take. Assess the amount of time the board spends addressing cybersecurity during meetings and possibly allocate more.
3. Enhance executive cybersecurity capabilities
If and when these new SEC disclosure requirements take effect, this will likely create labor market pressure on executives with cybersecurity experience and capabilities. You’ll therefore want to conduct any executive candidate search and hiring processes in a way that prioritizes those individuals. Companies will need to consider whether their assessments of executive experience aligns with the criteria proposed by the SEC, as those executives will also appear on disclosures, annual reports, and proxy statements.
4. Minimizing the risk of disclosure
The best way to prepare for any new SEC rule changes is to minimize the risk of breach and compromise — and thereby disclosure — in the first place. Executives, legal teams, and CFOs would be well-served to lobby their organizations to enlist an experienced cybersecurity and compliance partner like Varonis to assist on multiple levels. Your security partner should be able to help audit and amend your cybersecurity policies and procedures to help reduce the risk of ransomware, phishing, and other attacks. Your security partner should also be able to help train legal, infosec, and operational teams on breach prevention, response, mitigation, and reporting.
With these potential new disclosure rules, the SEC is trying to improve security culture within publicly traded companies and enhance transparency for both the SEC and investors. Companies will be well-served to begin learning about the specific clauses and details of the new disclosure requirement document, in addition to implementing data loss prevention software and other technology tools to mitigate the risk of cyber threats. In a perfect world, publicly-traded companies would be able to avert any breaches or hacks altogether. But for the time being, organizations should be prepared to comply with the SEC’s new disclosure framework before any incident occurs.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.
David is a professional writer and thought leadership consultant for enterprise technology brands, startups and venture capital firms.