In an era where data breaches and cyber threats are increasingly common, the U.S. Securities and Exchange Commission (SEC) has taken a significant step to ensure transparency and accountability in the corporate world. On July 26, 2023, the SEC, in a 3-to-2 vote, adopted a final rule requiring public companies to disclose material cybersecurity incidents and their cybersecurity risk management, strategy, and governance. This rule, which was initially proposed in March 2022, faced significant commentary and criticism, leading to important changes in the final rule. This blog post will delve into the details of this new rule and its implications for public companies.
Understanding the New Rule
The new rule requires public companies to disclose material cybersecurity incidents within four business days of determining the incident’s materiality. A “cybersecurity incident” is broadly defined as an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a company’s information systems that jeopardize the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.
The rule also introduces the concept of “a series of related unauthorized occurrences.” This means that companies materially affected by a series of related intrusions will still be required to comply with the new rule, even when the material impact attributable to each individual intrusion is immaterial by itself.
In addition to incident disclosure, the rule introduces new requirements for companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. It also requires companies to describe the board of directors’ oversight of these risks and management’s role in assessing and managing them.
Implications for Public Companies
The new rule significantly changes the status quo and introduces complexity to incident response for all public companies. It imposes a substantial burden on companies to disclose material cybersecurity incidents promptly and accurately. This requirement will necessitate a robust and efficient incident response mechanism within companies to ensure timely detection, assessment, and reporting of cybersecurity incidents.
Moreover, the rule mandates companies to disclose their cybersecurity risk management, strategy, and governance. This requirement will push companies to develop and maintain comprehensive cybersecurity risk management processes and to ensure that these processes are integrated into the company’s overall risk management system.
The rule also underscores the importance of the role of the board of directors and management in overseeing and managing cybersecurity risks. This will necessitate a clear delineation of responsibilities and effective communication channels between the board, management, and the cybersecurity team.
Implications for Foreign Private Issuers
The rule also has implications for foreign private issuers. It amends Form 20-F to include requirements parallel to those for domestic companies regarding risk management, strategy, and governance. Foreign private issuers will also be required to furnish information about material cybersecurity incidents that they disclose or publicize in a foreign jurisdiction, to any stock exchange, or to security holders.
This means that foreign private issuers will also need to develop robust cybersecurity risk management processes and incident response mechanisms. They will also need to ensure effective communication of cybersecurity risks and incidents to their stakeholders.
Preparing for Compliance
With the final rule becoming effective 30 days after publication in the Federal Register, and most public companies required to comply with the incident disclosure requirements beginning on the later of December 18, 2023, and 90 days after the final rule is published in the Federal Register, companies need to start preparing for compliance.
Firstly, companies should review their cybersecurity incident response playbooks to reflect the processes contemplated under the new Form 8-K requirements. They should review and test their procedures for responding to cybersecurity incidents and amend or supplement those procedures as appropriate to address the procedures and attendant documentation contemplated under the new Form 8-K reporting requirements.
Secondly, companies should confirm that their disclosure controls and procedures provide for effective communication between the cybersecurity team, the legal team supporting cybersecurity, the legal team responsible for securities disclosure, and the disclosure committee, as well as for appropriate interaction with the board of directors or a responsible committee of the board.
Lastly, companies should plan to carefully document both their materiality analysis and the reasonableness of the time that it takes to assess materiality. This will be crucial in fulfilling the need for a reasonable and timely assessment and escalation of detected cybersecurity incidents, and will assist companies in meeting the cybersecurity incident disclosure requirements.
The new SEC rule on cybersecurity disclosure marks a significant shift in the regulatory landscape for public companies. It underscores the importance of transparency and accountability in managing cybersecurity risks and responding to cybersecurity incidents. While the rule imposes significant obligations on companies, it also presents an opportunity for companies to enhance their cybersecurity risk management processes and incident response mechanisms, thereby strengthening their overall cybersecurity posture. As companies navigate this new terrain, they will need to balance the obligation to disclose material information with the need to protect sensitive information that could be exploited by malicious actors. With careful planning and preparation, companies can successfully navigate this new terrain and turn these regulatory obligations into opportunities for enhancing their cybersecurity resilience.