The Securities and Exchange Commission (SEC) recently adopted new rules requiring public companies to disclose material cybersecurity incidents within four business days and provide annual and immediate disclosure on cybersecurity risk management. The rules aim to give investors timely, consistent, and comparable information to evaluate cybersecurity threats and maintain public safety.
As you review the main points on timing, required details, delay allowances, and regulator flexibility, keep in mind the value of transparency for investors and the need to protect sensitive systems and response plans. Finding the right balance will lead to cyber risk reporting that informs markets without empowering malicious actors.
Use the following guidance on the new rules as a reference as you determine how best to apply the requirements to your unique risk environment and navigate this new regulatory landscape.
2. The rule aims to inform investors about cybersecurity threats and prepare them for similar risks.
3. I.S. Partners, LLC provides expert auditing services to help you evaluate your risk management strategies and help you comply with the Cybersecurity Disclosure Rule.
What Is the SEC Cybersecurity Disclosure Rule?
The SEC Cybersecurity Disclosure Rule is a national-level law that requires public companies to disclose any incident of a material cybersecurity breach. The disclosed information must include a comprehensive description of the incident, its nature, scope, timing, and impact on the company.
The rule aims to provide investors with consistent and comparable details to evaluate cybersecurity risks. It highlights the potential impact of any material cybersecurity incident on companies.
“This new regulation is significant in that companies have to actually comply with reporting now, not just at their discretion. Since incidents could impact financial statements, processes are needed to govern reporting and materiality determination with financial auditors.” – Robert Godard, partner at I.S. Partners is specialized in audits of IT controls and infrastructure, financial statements
However, some companies may find certain aspects of the incident disclosure obligations unclear or challenging as they transition into compliance. To help public companies understand the key material aspects of the cybersecurity disclosure rules, we’ve highlighted critical information to remember to comply with the law, including:
- timing requirements,
- the scope of disclosures,
- exceptions for national security, and
- SEC compliance expectations.
Carefully considering these details around the new regulation will ensure your company is well-prepared to meet the new reporting standards and provide investors with decision-useful information on cybersecurity issues.
Compliance Effectivity Date and Deadline
For most public companies: The new cybersecurity disclosure rule went into effect in December 2023.
For smaller public companies: The rule is expected to go into effect in June 2024.
Timing of Disclosure Obligations
- You have flexibility in timing to determine if a cybersecurity incident is material. Make this assessment “without unreasonable delay” after an incident occurs.
- If deemed material, disclose the incident within four business days after determining materiality.
Scope of Required Disclosure
- Focus disclosure on the material impacts of the incident, such as financial effects and the scope of systems/data affected.
- You do not need to disclose specific or technical information about systems, vulnerabilities, or response plans if it would impede incident response.
Seeking a Disclosure Delay
- You can seek a delay in disclosure if it poses national security or substantial risk through DOJ notification. The DOJ has issued guidance on this process.
- Consulting law enforcement does not automatically determine materiality or impose disclosure obligations. You need to make your own determination of materiality.
SEC Compliance Expectations
- In the first year, the SEC aims for flexibility and good faith compliance efforts, not penalizing foot faults.
- Continue to apply the traditional concept of materiality focused on reasonable investor needs.
What Should You Do to Prepare for the Disclosure Rule?
According to cybersecurity experts, important steps companies should take to improve compliance procedures include incorporating finance departments into incident response planning. This integration across divisions will help ensure all teams know of internal protocols for reporting cyber events for managing material risks.
Traditional cybersecurity response simulations and tabletop exercises often focus on IT system protections without modeling financial or legal impacts. Organizations can bridge gaps in understanding compliance risks across areas by adding decision-support roles for senior finance personnel. Strengthening links between technical, financial, and legal staff is key.
Public companies may benefit from revising existing cybersecurity plans to explicitly address materiality assessments, disclosure timeframes, and cross-department governance. Aligning protocols company-wide for SEC compliance can help streamline coordination between personnel focused on systems protection, financial losses, reputational risks, and regulatory disclosures.
How Does the New SEC Rule Respond to Old Concerns?
The SEC’s new cybersecurity disclosure rule provides investors crucial information on cyber risks. However, the initial rule proposal raised several valid concerns from public companies around compliance burdens, empowering hackers, legal obligations related to law enforcement consultations, and fears of strict repercussions for good faith disclosure mistakes.
Rather than finalizing an overly strict or confusing regulation, the SEC responded conscientiously to these criticisms from corporate stakeholders. The final rule reflects updated guidance on balancing transparency for investors while protecting sensitive systems, providing flexibility on materiality judgments, and reassuring companies that regulators intend to collaborate – not penalize – during the transition period.
While meaningful disclosure represents an urgent investor need given rising cyber threats, releasing some technical details could unintentionally assist threat actors. By clarifying aspects such as reporting timelines and the focus on material impacts rather than technical vulnerabilities, the SEC demonstrates responsiveness to key concerns.
Considering how the rule update seeks to strike the right balance, remember this ethos of responsive governance in service of corporate and investor interests. The following overview explains how the finalized regulation deals with past confusion or apprehension to pave the way for smooth adoption across public companies.
- Compliance Cost Concerns. The SEC Cybersecurity Disclosure Rule points out where the final rules were changed to lower company compliance costs and burdens. For example, requiring less detailed information on cybersecurity policies.
- Hacker Concerns. It explains how the rules balance the need for disclosure to investors while not forcing companies to reveal so many technical details that it could help hackers. For instance, companies don’t have to disclose details that would get in the way of their response and recovery efforts.
- Law Enforcement Consultation Concerns. It clarifies that just talking to law enforcement does not automatically mean an incident is material or start the clock for reporting. Companies still have to decide on materiality themselves.
- “Gotcha” Concerns. The new SEC rule also aims to reassure companies that the SEC is not looking to punish small issues in the first year but will work with companies making good faith efforts to comply.
- Materiality Standard Concerns. It defends using a materiality standard instead of a bright line rule, arguing materiality connects disclosures to what investors need to know, similar to other material risks companies face. It also notes the flexibility for companies deciding if an incident is material.
“The term ‘material’ is very subjective,” explains Rob. Typical materiality formulas are based on audit risk levels to areas of finances. For breaches, it’s less defined. For example, healthcare breaches might be assessed based on assigned fine schedules or GDPR assigns dollar values per data point.
While qualitatively materiality is open-ended with this SEC regulation, companies should have formal risk methodologies to justify breach cost assessments. “Documentation of processes for reasonable materiality assignments will be key.”
The SEC’s Stringent Stance on Cyber Disclosure Enforcement
The SEC has shown its willingness to leverage substantial fines and charges against publicly traded firms that inadequately disclose cybersecurity breaches to investors. This strict enforcement precedent signals that companies should expect close regulatory scrutiny of the new reporting rules.
In recent years, the Commission has ramped up actions against organizations with disclosure controls deemed negligent in informing markets about cyber incidents or organizational vulnerabilities. In 2021, a software company paid $1 million to settle SEC charges that it omitted key details and scope in its disclosure of a 2020 ransomware attack.
The agency has also reached multi-million dollar settlements with Yahoo in 2018 ($35 million) and Altaba in 2019 ($35 million), resulting from lagging notification around significant data breaches.
First American Financial Corporation also faced reprisal in 2021 for failing to inform senior leadership and investors about an identified software vulnerability before external reports brought the flaw to light. By neglecting to remediate the known gap, the defendants kept shareholders in the dark, uncertain of expectations around cybersecurity risk management and disclosure controls.
Penalties & Fines for Non-Compliance with the Disclosure Requirements
The hefty multi-million dollar fines in these SEC cases show that the agency is paying more attention to cyber incidents. They want companies to disclose hacks and breaches to investors promptly and accurately.
As the new cyber disclosure rules are rolled out, the SEC’s past actions clear their expectations – they demand transparency. They have penalties to hold companies accountable if they fail to report correctly.
While the exact fines for not following the new rules are not defined yet, companies should see the previous fines as a severe warning. They must fully comply with the technical reporting requirements and the general principle of informing investors.
“There currently aren’t any defined penalties or enumerated fines, though SEC fines can be substantial in audit contexts regarding material omissions. Without set penalty levels, issues may be referred to courts. U.S. laws often leave details open for later interpretation to incentivize reasonable good-faith efforts.” – Rob, I.S. Partners
Companies can expect close oversight from the SEC on cyber issues as the agency updates its rules to match the growing reality of cyber threats today. The SEC is getting stricter on cyber-reporting failures.
Stay Up to Date on the Latest Compliance Requirements
The SEC Cybersecurity Disclosure Rule is a fairly new law that requires much attention. Preparation for the rule means safeguarding your assets and ensuring your stakeholders that you have the necessary strategy and controls in place.
Not all companies can quickly adapt to these new provisions. Enter I.S. Partners, LLC. With the help of expert auditors, you can rest assured that your operations will be comprehensively assessed and equipped with critical control measures.
With our top-tier master compliance and internal audit preparation, such as MAR/SOX Auditing services, we can prepare your organization to meet the disclosure requirements most efficiently.