In a press release on July 26, 2023, the SEC announced that they have adopted new rules that are much more strict and comprehensive.
TL;DR - the new rules require public companies and foreign issuers to:
- File Form 8-K and Form 6-K (for foreign issuers) within four days of a material incident. This means security teams must be able to detect incidents, investigate fast, and provide detailed reports.
- Periodically disclose cybersecurity risk management, strategy, and governance in annual reports on Form 10-K and Form 20-F (for foreign issuers).
- Describe the company's board oversight of cybersecurity risk, including management's role and expertise. Companies will aim to form board committees and appoint cybersecurity experts to their board.
These stricter requirements aim to protect investors from the downside risk and harm a data breach could cause to the business.
For companies whose cybersecurity programs are not up to par, disclosing their cyber capabilities will be a formidable task. Many companies are not ready to reveal the extent of their cyber capabilities to investors. The rule also requires that cybersecurity disclosures be presented in Inline XBRL, a machine-readable format.
The final rules will become effective 30 days following publication of the adopting release in the Federal Register (i.e., mid-December 2023).
As far the rationale behind the more aggressive rules, SEC chair Gary Gensler says:
I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.
Here’s everything you need to know about the SEC’s new disclosure requirements, how to prepare for enforcement, and technology that will aid in your compliance efforts.
- Who does the newly proposed SEC cybersecurity rule impact?
- What do I need to know about the SEC cybersecurity rule?
- How can companies prepare for new SEC cybersecurity enforcement?
Who does the newly proposed SEC cybersecurity rule impact?
The new SEC cybersecurity rule is designed to provide the public with additional transparency on company breaches when they occur, and provide timely notification of cybersecurity incidents. Because compliance and cybersecurity are so closely intertwined, the SEC's rule change will affect several different parties, including:
- Investors who will be better informed about risk level, security measures, and incidents
- Executives who will need to evaluate their cybersecurity posture end-to-end and work with legal and finance teams to ready their filings
- Boards of directors who will need to add cybersecurity expertise and oversight
- Security teams who will need to strengthen their breach detection and reporting capabilities
What do I need to know about the SEC cybersecurity rule?
In addition to reporting material cybersecurity incidents within four business days via Form 8-K, companies must also provide periodic updates of previously reported cybersecurity incidents and share their cybersecurity risk management policies and procedures. Companies will now be required to disclose some of the following bullets on their 10-K, related to their risk-management policies:
- Outline and description of their cybersecurity risk program
- How they engage with third-party assessors or consultants
- Measures for cyber incident prevention, detection, and mitigation
- Business continuity and recovery procedures in the event of a breach
- How cybersecurity risk might impact the company’s financials
- Business strategy and planning related to cybersecurity risk
Companies must also disclose all cybersecurity governance practices as well as cybersecurity expertise that exists on the board of directors.
With 68 percent of business leaders saying their cybersecurity risks are increasing, the SEC has good reason to install new regulations that serve to inform investors and the public of attacks on public companies and corporations. While corporate disclosure practices have improved in recent years, the new regulation is designed to address lingering inconsistencies with how investors are informed about breaches and add consistency to overall risk management.
This comes on the heels of high-profile ransomware attacks on mega-corporations where public companies were forced to pay large sums of money to hackers, suffering massive reputational damage that impacted investors. Once the proposed regulation is approved, the changes will appear on SEC.gov and the Federal Register for comments and feedback. The primary administrative impact will be on forms 6-K and 8-K.
Incident reporting: What information needs to be disclosed?
One of the main reasons for the proposed change is that the SEC noted some incidents were reported in the media but not disclosed by the affected companies in their periodic filings. Additionally, the SEC found that when disclosures were made, the nature and thoroughness of those reports were either inconsistent or incomplete.
To create a uniform expectation regarding the timing and substance of disclosures, the SEC is proposing the following requirements as it relates to breach reporting:
- Disclose when the breach took place and whether or not it’s ongoing
- Provide a brief description of the nature and scope of the incident
- Provide information on any stolen, altered, accessed, or unauthorized use of data
- Disclose the overall effect and impact of the incident on the company’s operations
- Report whether or not the company has remediated, or is remediating, said incident
Incident reporting: What types of events need to be reported?
The new rule would not be triggered by a cybersecurity incident itself, but rather by the material determination by the company that a breach has taken place. Below are a few key examples of the main types of events that the new rule would cover:
- Any incident that compromised confidentiality, integrity, or availability of an information asset. This could be an accidental insider threat in which an employee mistakenly exposed information, or could result from a malicious external attack.
- An unauthorized incident that caused degradation, interruption, or loss of control or damage to the operational technology system. This could be a network outage due to a cyberattack or even the consequence of a natural disaster.
- If an unauthorized party accesses, steals, or alters sensitive data categories, such as personally identifiable information, business plans, or intellectual property that results in loss or liability to the company.
- Ransomware or other similar attacks when a malicious actor is offering or threatening to sell sensitive information. For example, stolen customer credit card numbers are offered for sale on the dark web.
- Incidents in which a hacker or a malicious attacker is demanding payment to restore lost or stolen data. These are primarily ransomware attacks, leading to companies forking over large cryptocurrency payments for data or to have system operationality restored.
While this is not an exhaustive list, the main point above is that companies themselves are responsible for making a material determination of an attack or breach and then reporting it within four business days to investors and regulators after that determination is made.
Incident reporting: What are the important dates?
Form 8-K, Item 1.05 and Form 6-K, General Instruction B
Compliance deadlines for the new SEC cybersecurity rule will vary depending on the size of the reporting companies. For larger registrants, compliance will be required 90 days after the rule is published in the Federal Register or by December 18, 2023, whichever is later.
Smaller reporting companies will have 270 days after the publication date or until June 15, 2024, whichever is later, to begin compliance.
Additionally, all registrants will need to start tagging responsive disclosure in Inline XBRL by December 18, 2024, or 465 days after the publication of the Final Rule in the Federal Register, whichever is later. These timelines ensure that companies have sufficient time to prepare for and implement the necessary changes to meet the SEC's cybersecurity requirements.
Periodic disclosure: What are the important dates?
Form 10-K, Item 106 of Regulation S-K and Form 20-F, Item 16K
Starting from fiscal years ending on or after December 15, 2023, annual reports, such as the 2023 Form 10-K (or Form 20-F) for calendar-year-end companies filed in 2024, will be required to incorporate the new disclosures.
Moreover, all registrants will need to implement the tagging of responsive disclosure in Inline XBRL for annual reports ending on or after December 15, 2024.
How can companies prepare for new SEC cybersecurity enforcement?
Preparing for cybersecurity rule enforcement
- Update incident response procedures
- Review board oversight
- Enhance executive capabilities
- Minimize disclosure risk
Companies can and should take steps to prepare for the rule enforcement by evaluating their current cybersecurity technology stack, policies, and breach response procedures. Now is also a great time to run a data risk assessment to measure your security posture. Below are some key tips and steps that will help you prepare for the new SEC disclosure requirements should they be codified.
1. Update your incident response procedures
It’s important that companies revisit their cybersecurity policies to ensure that they provide effective disclosure controls and procedures, including communication between the infosec team, the investor relations team, and the legal team. These policies and channels of communication will be core to the prompt assessment and escalation of detected cybersecurity incidents. Review and update policies to include the new disclosure requirements.
2. Review board oversight structures
While your company may already include disclosure in the board’s role in overseeing cybersecurity risk in their proxy statements, proposed rule changes introduce a broad set of board-related topics that will need to be addressed. Boards that have not delegated responsibility for overseeing cybersecurity disclosures to a specific committee will need to consider whether it’s an appropriate step to take. Assess the amount of time the board spends addressing cybersecurity during meetings and possibly allocate more.
3. Enhance executive cybersecurity capabilities
If and when these new SEC disclosure requirements take effect, this will likely create labor market pressure on executives with cybersecurity experience and capabilities. You’ll therefore want to conduct any executive candidate search and hiring processes in a way that prioritizes those individuals. Companies will need to consider whether their assessments of executive experience aligns with the criteria proposed by the SEC, as those executives will also appear on disclosures, annual reports, and proxy statements.
4. Minimizing the risk of disclosure
The best way to prepare for any new SEC rule changes is to minimize the risk of breach and compromise — and thereby disclosure — in the first place. Executives, legal teams, and CFOs would be well-served to lobby their organizations to enlist an experienced cybersecurity and compliance partner like Varonis to assist on multiple levels. Your security partner should be able to help audit and amend your cybersecurity policies and procedures to help reduce the risk of ransomware, phishing, and other attacks. Your security partner should also be able to help train legal, infosec, and operational teams on breach prevention, response, mitigation, and reporting.
What is your organization's readiness?
PwC created this helpful maturity ladder to show where most organizations are today vs. where they must be to comply with the new SEC rules:
Here are some additional resources to be aware of:
With these new disclosure rules, the SEC is trying to improve security culture within publicly traded companies and enhance transparency for both the SEC and investors. Companies will be well-served to begin learning about the specific clauses and details of the new disclosure requirement document, in addition to implementing a data security platform and other technology tools to mitigate the risk of cyber threats. In a perfect world, publicly-traded companies would be able to avert any breaches altogether, but for the time being, organizations should be prepared to comply with the SEC’s new disclosure framework before any incident occurs.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.