New cybersecurity disclosure rules from the SEC take effect today. They oblige listed companies to disclose “material” cybersecurity incidents within four days and detail oversight of cyber risk by boards.
Initial proposals that would have forced companies to specifically detail board cybersecurity expertise and who their CISO reports to were dropped to "streamline" the rules amid an industry backlash.
Yet the rules, an evolution of the SEC’s 2018 guidance, represent a real shift in breach disclosure requirements, especially for public companies. (They come amid growing focus from regulators on cyber risk, with enforcement of Europe’s “DORA” also due to be effective January 2025.)
The new SEC Rules: In brief
On Item 1.05 of Form 8-K firms need to disclose any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing. This is due four business days after a registrant determines that a cybersecurity incident is material. It can be delayed if the Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.
The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats. It also requires firms to describe the board of directors’ oversight of risks from cyber threats. These disclosures are required in a registrant's annual report on Form 10-K.
The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
Markets watchdog the SEC said on July 26 that it is introducing the rules to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies.”
It emphasised at the time that such disclosures will need to be made publicly available in machine-readable inline XBRL format.
Item 106 of Regulation S-K and item 16K of Form 20-F (covering cyber risk management) are effective in annual reports for fiscal years ending on or after December 15, 2023. The new cyber incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K are effective December 18, 2023.
See also: Expect to hear a lot more about XBRL...
The SEC cyber disclosure rules, effective December 18, require companies in scope to report details about cyberattacks including nature, scope, and timing and material impact in 8-K forms. “Material impact” can include “harm to a company’s reputation, customer or vendor relationships, or competitiveness” as well as risk of litigation or regulatory action.
Critically, despite industry opposition, the SEC declined to water down rules on third-party incidents, saying “we are not exempting registrants from providing disclosures regarding cybersecurity incidents on third-party systems they use” – emphasising that investors would care about materiality, not who owns affected systems after an incident.
Its initial consultation had triggered widespread industry concern, evident in submissions reviewed by The Stack. These had centred around the risks of early disclosure, the additional reporting burden and the utility (or otherwise) of sharing potentially sensitive organisational “minutiae”.
The National Defense Industrial Association for example had warned that the rules “will impose serious and avoidable problems for publicly traded companies… within the defense and national security space”; the US Chamber of Commerce fumed that the SEC’s “unprecedented micromanagement of companies’ cybersecurity programs is misguided”; and PwC suggested that SEC’s notion of “materiality” was incomplete.
One CISO, Sun Life’s Abhay Raman, who is already beholden to strict Canadian cyber risk disclosure rules, had lamented that “duplicative disclosure requirements… would distract critical resources with fulfilling reporting obligations rather than focusing on addressing a cybersecurity incident [and] increase the regulatory burden on companies without necessarily meeting the SEC’s aims” – a not uncommon concern.
The NYSE, home to over 2,400 companies with an aggregate market capitalisation of over $30 trillion, had suggested in its response to consultation on the rules that the SEC’s initial requirement for details on boards’ cybersecurity experience, along with further information, represented “granular disclosures of organizational minutiae [that] may result in overly detailed filings that have little utility to investors.”
How granular had initial proposals been?
The SEC’s initial proposals would have compelled listed companies to disclose, among other now-dropped requirements, “whether the entire board, specific board members, or a board committee is responsible for the oversight of cybersecurity risks;” (iii) “the processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic;” as well as whether the firm has a CISO.
The NYSE noted in its response over the summer that it “does not believe that the absence of a cybersecurity expert on a company’s board is necessarily the fatal flaw that the required disclosure may implicitly suggest to investors… a corporate board may rely on reporting from an in-house cybersecurity team or external consultants…”
SEC cyber risk disclosure requirements that remain include:
- "Which management positions or committees are responsible for assessing and managing such [cyber] risks, and the relevant expertise of such persons or members in such detail as necessary…
- "The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and…
- "Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors."
See also: Boards “cannot outsource their responsibilities” warns Bank of England in new cloud rulebook
The watchdog said over the summer that “overall, we remain persuaded that… under-disclosure regarding cybersecurity persists despite the Commission’s prior guidance; investors need more timely and consistent cybersecurity disclosure to make informed investment decisions; and recent legislative and regulatory developments elsewhere in the Federal government, including those developments subsequent to the issuance of the Proposing Release such as CIRCIA… will not effectuate the level of public cybersecurity disclosure needed by investors in public companies.”
You can read the full final 186–page document here.