The U.S. Securities and Exchange Commission recently finalized rules on cybersecurity incident disclosures and risk management. While these rules apply directly to public companies, any company – public or private – doing business with a public company will need to pay attention.
The new rules require public companies to file a disclosure for any cybersecurity incident determined to be material to investors and describe the incident’s nature, scope, timing, and impact (or reasonably likely impact) on the organization. Item 1.05 of Form 8-K will generally be due within four business days after an incident is determined to be material.
In the annual report, companies must describe their processes for assessing, identifying, and managing cybersecurity threats. They also must describe the board’s oversight and expertise in assessing and managing these threats.
Many public companies already have processes and procedures in place to identify cybersecurity incidents and share the information with stakeholders – although those may need to be more robust to comply with the new rules. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way,” said SEC Chair Gary Gensler. “Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
The new rules will largely become effective beginning with annual reports for fiscal years ending on or after December 15, 2023. Smaller companies have an additional 180 days to comply. While your company might already have a protocol for dealing with cyberthreats, the new rules require that your processes and thresholds be formalized and communicated in your financial filings. Here are three steps to take now:
1. Review your cybersecurity policies and adjust as necessary. Many companies already classify incidents as high, medium, or low priority based on the type of information that could be compromised. But a high-priority incident does not necessarily qualify it as “material” from the SEC’s perspective. An incident involving PII, for example, would be a high priority, but it would only be considered material if it impacts investors or the company’s ability to operate. Each company needs to define for itself what is considered material, establish standards for identifying those cyberthreats and incidents, and communicating the impact to investors.
2. Evaluate current incidents and categorize them as material/nonmaterial. Apply your materiality standards to identify what incidents or near misses should be disclosed. This disclosure should contain a description of the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations. Once a cybersecurity incident is deemed material, you have four business days to file an Item 1.05 Form 8-K. Note that you must disclose the impact of previously communicated cybersecurity incidents now considered material.
3. Hold your third-party suppliers accountable to your cybersecurity standards. Since a cybersecurity incident at a third party could significantly impact your business, your suppliers must be held to your standards for cybersecurity. Suppliers that are public companies will already have most of this information for their own filings. Private companies, however, may have a sizable amount of work to do before they can provide what is needed. You need to establish a process for reviewing cybersecurity incidents at your third parties to determine whether the incident is material and the potential impact for your own disclosures.
Because there currently is no standard for determining materiality, third parties may find themselves needing to follow different parameters for each of their customers. Keeping up with potentially hundreds of protocols will be a challenge, even for public companies. Third parties could decide to simply follow the most stringent standard. However, that approach may overwhelm customers with higher thresholds.
Increasing reliance on third-party service providers (including cloud storage), in fact, is one of the factors singled out by the SEC as contributing to the alarming rise in the cost of cybersecurity incidents. Other factors adding to the cost and frequency of incidents include digitization of operations, the growth of remote work, and the ability of criminals to profit from cybersecurity incidents – none of which are expected to ease anytime soon.
While there has been some improvement in the information companies disclose since the SEC guidelines were originally issued in 2011, the new rules will add much needed consistency and clarity to what is reported, how it’s reported, and when it’s reported. Investors will now have useful information to assess a company’s exposure to material cybersecurity risks and its ability to manage incidents. And that is sure to be welcome news.