What the SEC Cybersecurity Rule Means for You
The U.S. Securities and Exchange Commission has eased off what it initially proposed for cybersecurity disclosures. But the newly adopted SEC cybersecurity rule raises the stakes for how companies assess the materiality of non-financial information, with major impacts across teams from SEC reporting to ESG to audit and risk.
Under the final cybersecurity rule, companies have to disclose cybersecurity incidents within four business days of determining an incident is material (with just a narrow exception). The SEC doesn’t specify a timeline for making that determination. The rule also won’t ask companies to detail the cybersecurity expertise of board members, but they’ll have to disclose that information for management.
The final rule comes as hacks and breaches continue making headlines. No doubt, incidents can be costly if a hacker is able to disrupt day-to-day operations, collect a hefty ransom, or steal valuable intellectual property or even customers’ data—not to mention harm your corporate reputation as you’re scrambling to contain the damage.
Companies will want their legal, IT, risk, audit, and ESG teams to stay in close touch and vet third-party vendors to protect themselves from cyberthreats.
Let’s take a look at the final SEC cybersecurity rule and explore how it will impact multiple teams. Plus, we'll review steps you can take to minimize risk when working with contractors and vendors, whose own cybersecurity incidents could affect your operations.
What’s in the SEC cybersecurity proposal
You can read the full rule online, but generally it includes requirements for disclosures about cybersecurity incidents and about cybersecurity risk management, strategy, and governance.
The rule goes into effect for annual reports for fiscal years ending December 15, 2023, or later. For the rule’s 8-K and 6-K requirements, larger companies have to comply starting December 18, 2023; smaller reporting companies have until June 15, 2024, to start complying.
The SEC cybersecurity rule requires:
1. An 8-K filing within four business days of a company determining it has experienced a material cybersecurity incident, with details of the nature, scope, timing, and likely material impacts on the business, plus amended 8-Ks for updates on previously disclosed incidents.
The final rule provides a super narrow exception to the four-day requirement, which is if the U.S. attorney general determines a disclosure would pose a substantial threat to national security or public safety. And the attorney general has to provide that determination to the SEC in writing.
The rule doesn’t specify the timeframe for you to determine whether a cybersecurity incident is material, but it has to be “without unreasonable delay.”
It's possible the SEC could scrutinize the timing of when an incident occurred and when it was ultimately disclosed under the new Form 8-K Item 1.05 under the rule.
That will make the timing and documentation of how companies assess materiality incredibly important.
2. Disclosures of policies and procedures to assess, identify, and manage cybersecurity risks and management’s role in implementing them.
3. No required disclosures of board members’ cybersecurity expertise, but companies will have to disclose management’s role and expertise in assessing cybersecurity threats.
4. Disclosures submitted with Inline XBRLTM tagging to enable investors to extract and analyze data faster. (This requirement kicks in one year after compliance with the related disclosure requirement.)
For foreign private issuers, cybersecurity incidents are topics that should be reported on a Form 6-K and in the annual report on Form 20-F.
We could debate whether those disclosures could give criminals ammunition for future attacks or hinder law enforcement from recovering stolen funds before criminals realize authorities are on to them. But the bottom line is that cybersecurity incidents could happen to any company, and investors want to see how resilient you are if one should happen to you.
“Cybersecurity incidents, unfortunately, happen a lot,” SEC Chair Gary Gensler said in announcing the SEC proposal in 2022. “They can have significant financial, operational, legal, and reputational impacts on public issuers. Thus, investors increasingly seek information about cybersecurity risks, which can affect their investment decisions and returns."
He said companies and investors alike would benefit with this information being required in a consistent, comparable, and decision-useful manner.
Managing cybersecurity risk while working with SEC filing vendors
In some cases, companies will have to disclose significant hacks involving not only technology they own, but also systems of third-party vendors if the breach is material.
Along with staying vigilant toward security threats within your company, you also need to practice cybersecurity risk management when working with contractors, partners, or vendors.
- For example, when considering software, look for a native cloud service provider that builds its own software and platform rather than a traditional service provider with digital services bolted on, as Workiva Chief Information Security Officer Eric Anders suggests
- Check that your vendor meets or exceeds standards for cloud service providers and employs multiple layers of protection
- Also examine whether your vendor’s software or platform itself has built-in controls, so that if hackers break in via compromised login credentials, the information they can access will be limited
- While no one is immune from a security breach, make sure your vendors are doing all they can to protect you
Best practices under the SEC cybersecurity mandate
As companies start to prepare for the SEC cybersecurity rule, multiple departments outside of financial reporting will also be affected. This includes audit and risk teams, who will need to consider ways to stay ahead of risk and implement a cybersecurity risk management program.
As any major cybersecurity event is inherently stressful, the new rule will not only increase the pressure on organizations going through an incident but will also increase the risk to registrants of non-compliance in two scenarios:
- The SEC isn’t satisfied with the registrant’s cybersecurity incident disclosure and takes enforcement action
- The registrant determines a cybersecurity event is not material and makes no disclosure, but the event later comes to light and the SEC takes enforcement action for failure to disclose
For compliance with the SEC cybersecurity rule—and given the significant risk and potential consequences of non-compliance—organizations will want to:
- Consider deploying multiple layers of security protections including multi-factor authorization methodologies
- Reassess their security breach detection measures so that they would be aware of a breach promptly
- Vet their vendors' cybersecurity controls and customer service, so organizations could ensure that they would be kept informed if their vendors should have a security incident
- Integrate cybersecurity into the "G" in ESG
- Evaluate their current governance, risk, and compliance (GRC) processes and readiness to manage a significant cybersecurity incident with regard to the new disclosure rules
- Conduct a cybersecurity risk assessment as a part of their overall enterprise risk management (ERM) process to reflect the potential impact of non-compliance with the new rules
- Update existing or implement new policies, procedures, and processes to implement an effective cybersecurity and IT risk management program
- Design and implement robust internal controls over their incident management program
- Audit the effectiveness of their cybersecurity incident management program to determine if internal controls are properly designed and are operating effectively
How to build an effective cybersecurity risk management program
Working closely with IT, legal, and other departments—they can assist in assessing the health of their company’s current cybersecurity program. As audit and risk practitioners look to build an effective cybersecurity and IT risk management program, the following list of cybersecurity practices provides a starting point for consideration:
- Review their company’s current GRC cybersecurity practices and ensure that:
- Cybersecurity priorities are driven by and aligned with the overall business strategy and risk appetite framework
- Cybersecurity is prioritized appropriately based on its impact to the business strategy
- Management actively supports the implementation of security measures, allocates necessary resources, and views cybersecurity and IT risk management as an investment to protect the organization's assets and reputation
- Practices are established to remain informed about emerging cybersecurity risks, including regulations and compliance standards related to your industry
- Cybersecurity governance processes are agile and updated regularly to align with new and emerging risks
- Objectives, roles, responsibilities, and reporting structures for cybersecurity are well documented and understood across the entire organization—not just IT
- Individual and team roles and responsibilities are clearly defined
- All employees understand their role in maintaining security, where to turn for help or if they have questions, and how to report cybersecurity concerns
- Assess cybersecurity risks regularly and integrate the results with your organization’s ERM process
- Understand known cybersecurity risks, risk mitigation actions, and the residual risk to your company
- Document and identify emerging cybersecurity trends, technologies, threats, regulatory changes, and more
- Prioritize risks and implement risk mitigation strategies to address them effectively
- Adapt your cybersecurity governance process to reflect the threat landscape as it evolves
- Develop and enforce cybersecurity policies and procedures that cover all aspects of the organization's operations, including data protection, access control, incident response, and employee training:
- Ensure cybersecurity policies are regularly reviewed, updated, and communicated across the company
- Educate all employees about cybersecurity best practices, the importance of data protection, and how to recognize and report potential security incidents
- Develop a well-defined incident response plan that outlines how to determine if a breach has occurred, assess the materiality of the breach, and coordinate response and communication with third parties
- Test and update your incident response plan regularly to improve response effectiveness
- Implement continuous monitoring of your systems, networks, and applications to detect anomalies and potential threats and report to responsible parties as quickly as possible
- Conduct penetration testing and vulnerability assessments on a regular basis to identify and address weaknesses
- Establish key performance indicators (KPIs) and security metrics to measure the effectiveness of your cybersecurity governance process
- Report on established KPIs with management and stakeholders to demonstrate progress and highlight areas of improvement
- Conduct regular internal and external audits of your cybersecurity governance process to identify any gaps or weaknesses that need to be addressed
Being proactive can help protect your organization against cybersecurity threats, will strengthen your organization’s resilience, and will help you be prepared to address, mitigate, and disclose material cybersecurity incidents under the new SEC cybersecurity rule.
Take a break from reading about ESG and join the discussion virtually at Amplify 2023 on Sept. 21st. Access 13 sessions, and get the chance to earn up to 8 CPE credits! Register now.
Learn how legal, risk, ESG, and SEC reporting teams are using the Workiva platform. Request a demo.
Inline XBRLTM and iXBRLTM are trademarks of XBRL International, Inc. All rights reserved. The XBRL® standards are open and freely licensed by way of the XBRL International License Agreement.