How to Prepare for SEC’s Cyber Disclosure Rules

The latest rules proposed by the SEC cover a wide range of topics—from cybersecurity to environmental, social and governance—that will affect how public companies operate. The proposed changes and new areas of risk will reshape the cybersecurity function, with heightened expectations around incident disclosure and response, board-level involvement and supply chain scrutiny.

In this piece, we’re highlighting the proposed four most critical new SEC rules likely to have the greatest impact on CISO’s and organizations going forward. Note that the SEC rules proposed below are subject to change when the final guidance is released.

Proposed SEC Cyber Disclosure Rules 

1. Material Cybersecurity Incidents Reported Within 4 Business Days 

‘Material’ “cybersecurity incident,” as defined by the SEC means any incident that jeopardizes the confidentiality, integrity or availability of a registrant's information systems or any information residing therein. This will most likely include accidental exposure of data or inadvertent data sharing. Reporting requirements include:

• When the incident was discovered and whether it is ongoing
• A brief description of the nature and scope of the incident
• Whether any data was stolen, altered, accessed or used for any other unauthorized purpose
• The effect of the incident on the company’s operations
• Whether the company has remediated or is currently remediating the incident
  

2. Cybersecurity Incident Disclosure in Periodic Reports 

The SEC’s proposed rule does not require public companies to file a separate Form 8-K for such updates; rather, this information would be disclosed in the next filed quarterly or annual report.

If a public company discovers that a series of previously undisclosed, immaterial cybersecurity incidents have become material in the aggregate, it must disclose such incidents in its next filed periodic report.

3. Periodic Disclosures of Cybersecurity Risk Management Policies and Procedures 

This rule stipulates that companies must disclose:

• If they have a cybersecurity risk assessment program and, if so, provide a description of the program
• Whether the company engages consultants and other third parties in connection with any cybersecurity risk assessment program
• Company policies and procedures to oversee and identify the cybersecurity risks associated with the use of any third-party service provider, including whether and how cybersecurity considerations impact selection and oversight of these providers
• Activities the company undertakes to prevent, detect and minimize effects of cybersecurity incidents
• Whether the company has business continuity, contingency and recovery plans in the event of a cybersecurity incident
• Cybersecurity risks and incidents that have affected or are reasonably likely to affect the company’s results of operations or financial condition and, if so, how
• How cybersecurity risks are considered as part of the company’s business strategy, financial planning and capital allocation
  

4. Governance Disclosures Regarding Cybersecurity 

This rule stipulates that companies must disclose:

• Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks
• The process by which the board is informed about cybersecurity risks
• The frequency with which the board is informed about cybersecurity risks
• Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management and financial oversight
  

Potential Impacts of SEC's Upcoming Cyber Disclosure Rules 

These upcoming rules create significant litigation and strategic risks. We see the biggest risk in the cybersecurity incident disclosure obligation, which requires public companies to disclose specific details concerning a cybersecurity incident, including the scope of the incident, data accessed or stolen, and impact on company operations. 

By requiring this disclosure four days after determination of a material cybersecurity incident, the Form 8-K filing could precede data breach notices to state attorneys general, as well as potentially impacted individuals and business partners.

Providing such details prior to the completion of forensic investigation and data-mining efforts is likely to expose companies to litigation before they have a full picture of the impact of the cybersecurity incident. It could also potentially undermine attorney-client and work product privilege associated with investigating the cybersecurity incident. CISOs together with their Boards need to ramp up their reporting capabilities now and shore up their cybersecurity posture. 

Five Steps to Prepare for the New SEC Cyber Disclosure Rules – 

• Revisit current incident disclosure policies & compare with the proposed regulations.
• Review board oversight structure & evaluate directors’ cyber experience.
• Educate board members on infosec & their new oversight responsibilities.
• Educate executives on the changes & what it means for the business.
• Discuss what “material” incidents mean to your org & practice disclosures.
  

IANS SEC Resource Center 

As the SEC finalizes the upcoming Cyber Disclosure Rules, IANS will provide clients with updated guidance through our new SEC Resource Center.  The Resource Center serves as a centralized hub for resources, FAQs, updates, discussion and guidance to help clients navigate this new regulatory landscape. 

Not an IANS client? Get in touch to learn more about how we can help you and your security team navigate through the upcoming regulatory changes and much more.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.