The US Securities and Exchange Commission (SEC) has implemented a new rule governing cybersecurity incident disclosure for public companies. The rule has been in effect since December 18, 2023. Non-compliance carries the risk of regulatory enforcement and investor litigation. Here’s what leaders at public investment businesses need to know:
The SEC cybersecurity incident disclosure rule in brief
The new SEC rule contains two parts.
The first mandates that all public companies disclose material cybersecurity incidents using Form 8-K. Examples of material cybersecurity incidents include (but are not limited to) data breaches, system intrusions, ransomware attacks, or email account compromises.
The second part of the rule requires firms to provide an annual disclosure of their cybersecurity risk management, strategy, and governance processes.
How soon must a cyber incident be disclosed?
The rule requires companies to disclose material incidents within four business days of determining materiality. To quote from a statement issued by Erik Gerding, Director of the SEC’s Division of Corporation Finance:
“Public companies must provide the required cybersecurity incident disclosure within four business days after the company determines the incident to be material. The deadline is not four business days after the incident occurred or is discovered. This timing recognizes that, in many cases, a company will be unable to determine materiality the same day the incident is discovered.”
How is materiality determined?
Boards of directors and executives must decide whether or not an incident is material. But the SEC provides some guidance on the materiality standard. Factors to consider when assessing material impact include:
- Harm to a company’s competitiveness, reputation, or relationships with customers and vendors
- Financial impact from a cybersecurity incident
- Possible litigation or regulatory action from state, Federal, or non-U.S. authorities
- Data theft that impacts the firm due to harm to customers, individuals, or others
Is the SEC mandating specific cybersecurity technologies and practices?
The stated intent of the SEC rule change is to standardize public company disclosures for the benefit of investors.
The rule does not force companies to change their cybersecurity procedures or governance policies, or require them to adopt particular cyber defenses or security practices.
Decisions about cybersecurity technologies, policies, procedures, and governance are still at the discretion of individual companies and their cybersecurity and technology partners.
What is excluded from the disclosure requirements?
There are a couple of important exceptions and exclusions to the new SEC disclosure requirements.
First, the rule provides an exception if disclosing the cyber incident could impact national security or public safety. In such a case, the SEC recognizes that a delay in reporting a material incident—beyond the standard four-day requirement—may be warranted. Per the SEC statement, any such delay would be “contingent on a written notification by the Attorney General.” The US Department of Justice (DOJ) has issued detailed guidance on how companies should proceed if they believe that a cyber incident meets the criteria for a delay.
In addition, disclosures of material incidents do not need to contain information that could hinder incident response—or facilitate future attacks by publicizing the details of an organization’s security posture. To quote the SEC’s Gerding again:
“A registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident…the need for disclosure [was balanced] with the risk that disclosing specific technical information could provide a road map that threat actors could exploit for future attacks.”
Preparing to comply with the SEC rule change
Public investment companies should prepare for compliance with the SEC cyber incident disclosure rule in two main ways.
To meet the four-day disclosure timeline, organizations will need a clear process for assessing the materiality of a cyber incident and capturing all of the required elements that must be included in the report to the SEC. The process should be well documented, tooled, and communicated—and above all should be firmly in place ahead of any cyber incident.
To satisfy the annual disclosure requirement, businesses need a risk management program that receives board oversight and engages key management personnel throughout the organization. In addition, such a program should be regularly assessed and updated as needed. It is recommended that risk management programs be subject to review and strategic discussion at least annually—and also when significant business or security developments occur.
Learning more and getting help
The cyber threat landscape to financial businesses is intimidating, and preparing to comply with a new SEC reporting requirement can be daunting.
To learn more about the new SEC requirements, we recommend starting with Director Gerding’s public statement, which contains detailed information about the rule as well as the rationale behind many of its particulars.
Linedata Technology Services helps financial business navigate their cybersecurity and digital transformation challenges through our portfolio of cloud transformation services, cybersecurity solutions, and managed services offerings. As a specialist in the financial industry for over 25 years, Linedata is uniquely positioned to meet the needs of asset managers, hedge funds, private equity firms, and other buy-side institutions. To discuss how we can help you to strengthen your cybersecurity program, contact us today.
About the author, Don Duclos
Don Duclos has 20 years of Information Security experience at leading financial institutions and technology services providers. Prior to joining Linedata, he led teams in all three lines of defense (within the business line, Information Security, and Internal Audit) at regulated firms, where he frequently engaged with regulators and examiners from the SEC, OCC, FDIC, and FRB. He is the Chief Information Security Officer at Linedata Technology Services.
Connect with us today