The U.S. Securities and Exchange Commission (SEC) recently implemented a new rule mandating stringent cybersecurity incident reporting and disclosure requirements for public companies.
This FAQ aims to provide answers to common questions leaders have regarding the SEC cyber disclosure rule. It covers the purpose and timeline of the cyber disclosure regulation, key definitions, including material cyber incidents, disclosure logistics, and ways organizations can begin preparing for compliance. Guidance is provided for leaders on steps companies should take in areas like incident response, materiality analysis, disclosure procedures, and board communications to meet the rule's rigorous standards.
Reviewing this FAQ will equip executives and board members with insights to ensure their organization can comply with the SEC's new cyber incident disclosure rule.
1. What is the new SEC cybersecurity disclosure rule?
The Securities and Exchange Commission (SEC) has instituted a new rule requiring public companies to provide enhanced and standardized disclosures pertaining to cybersecurity risk management, strategy, governance, and security incidents.
Under the new rule, companies will be obligated to report cybersecurity incidents within 4 days if the event is deemed material. Additionally, there will be new annual reporting requirements related to the organization's cybersecurity risk management approach and board of directors oversight of cybersecurity risks.
Guidance: Organizations should ensure they thoroughly understand the new reporting timelines, definitions, and required disclosure details in the new rule. Companies should prepare to meet accelerated timeframes for reporting material cyber incidents.
2. What cybersecurity concerns is the SEC looking to address?
The new rule aims to provide investors with timely, reliable, and consistent information regarding cybersecurity risks and events that could impact them financially.
The SEC recognizes evolving risks from new technologies like artificial intelligence, hybrid remote work environments, and cryptocurrencies. It also acknowledges escalating cyber threats such as ransomware that can profoundly impact investors in companies that suffer material incidents.
Guidance: Organizations should ensure they have a solid grasp of the cybersecurity risk landscape, including emerging threats that could materially impact the business and its shareholders. Stay on top of threat intelligence and re-evaluate risks continually across all of your environments.
3. Is this SEC rule a surprise?
No, the SEC has been focused on enhancing cybersecurity disclosures for many years. The agency provided guidance in 2011 and 2018 utilizing existing disclosure rules.
After monitoring registrants' disclosures and finding room for improvement in the quality and consistency of reporting, the SEC proposed new rules in March 2022 following extensive public commentary. The final rule was approved in July 2023.
Guidance: SEC registrants should review the history of SEC cybersecurity guidance and rules. Understand that while this new rule signifies a regulatory shift, it is an evolution of increasing SEC attention to cyber risks.
4. How is a “cybersecurity incident” defined by the new SEC rule?
A Cybersecurity Incident is defined as “an unauthorized occurrence, or series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein”. It’s worth noticing that:
(1) An unauthorized occurrence can also be an accidental occurrence due to a misconfiguration or error, even if there is no confirmation of a malicious activity.
(2) A “series of related unauthorized occurrences” means that, for example, the same malicious actor engaging in a number of small continuous attacks, or different actors attacking the same vulnerability would be considered a “cybersecurity incident” even if each attack alone is not significant.
(3) “information systems” is defined broadly, to cover not only systems owned by the registrant but also hosted systems, Cloud and SaaS (Software as a Service) and third parties.
Guidance: Make sure your processes and procedures for detecting, reporting and responding to incidents address not only significant malicious activities but also the broader scope of “cybersecurity incidents” as defined by the SEC rule.
5. How does this differ from current cybersecurity disclosure best practices?
The 4-day reporting window for material cyber incidents represents a compressed timeline compared to most organizations' current practices. Moreover, the broad definition of “cybersecurity incidents” now covers occurrences and incidents that many companies do not address in their incident respond plans and playbooks (see above).
The annual reporting requirements on cyber risk management and board oversight also go beyond many companies' existing disclosures. Additionally, the use of Inline XBRL data format for disclosures diverges from typical word processing and PDF disclosures.
Guidance: Evaluate your current processes for investigating and disclosing material cyber incidents. Consider ways to accelerate detection, investigation, materiality decisions, and public reporting. Also assess increasing board of directors communications and oversight of cyber risks.
6. How is a material cybersecurity incident defined?
The U.S. Supreme Court has defined materiality in multiple cases, stating that information is material if there is a substantial likelihood that a reasonable shareholder would consider it important when making an investment decision.
Information is also considered material if its disclosure would have significantly altered the total mix of information available to a reasonable investor. Importantly, a lack of quantifiable financial harm does not necessarily mean an incident is immaterial.
Guidance: Companies should align their own cybersecurity incident definitions and classifications with the SEC's new material incident designation. Incident response processes should account for incidents spanning owned and third-party systems.
7. How should companies evaluate materiality of a cyber incident?
When assessing materiality, companies should consider factors like the likelihood of an adverse outcome, the potential significance of any loss, the nature and extent of harm to individuals, customers, vendors, reputation, and competitiveness, as well as the possibility of litigation or regulatory investigation. Materiality also includes disclosing cybersecurity incidents involving third party systems.
It’s also important to note that several smaller incidents that are similar in nature may together be ruled material when a single instance would not. Teams need to be ready to map those incidents to determine if and when they become material.
While there is no specific deadline, companies have an obligation to disclose material information to shareholders without unreasonable delay, starting from when materiality is determined. The determination of materiality itself should also be made promptly.
Guidance: Develop a formal methodology for evaluating cyber incident materiality that goes beyond quantitative factors. Involve stakeholders from legal, PR/communications, business leadership, and cybersecurity to get broad input on potential business impacts. Have systems and support in place to hunt for incidents across environments and evaluate materiality.
8. What details must be disclosed on material cyber incidents?
Disclosures must articulate the nature, scope, timing, and material impacts of the incident upon the company’s financial health, business operations, and reputation. Disclosures should aim to provide investors with a meaningful understanding of the material risks and outcomes.
Guidance: Have robust incident investigation procedures to uncover key details like root causes, data or systems impacted, duration, and business/user impacts. Draft disclosure templates ready for rapid completion when material events occur.
9. Can disclosure ever be delayed?
Disclosure can only be postponed with explicit approval from the U.S. Attorney General if the report would amplify grave national security or public safety risks. The company must proactively request this exemption from typical reporting timelines.
Guidance: Analysis should determine if an incident could qualify for disclosure delay. If relevant, make sure your organization has a playbook ready for applying for disclosure delay. However, proactively getting AG approval will be difficult. Companies should not plan on utilizing delayed reporting timeframes.
10. When do companies need to start complying?
For most public companies, the new rule goes into effect in December 2023. Smaller reporting companies have until mid-2024 to begin adhering to the rule.
Guidance: Immediately initiate projects to evaluate and enhance incident response, materiality analysis, disclosure reporting, and board communications procedures to meet the rule timeframes.
11. How can enterprises best prepare for meeting the new disclosure rule requirements?
Enterprises should take proactive steps to evaluate and enhance their cybersecurity incident response and disclosure procedures in order to comply with the SEC's new rule. Leading up to the rule's effective date, organizations should focus on educating internal and external stakeholders, assessing current processes, strengthening response capabilities, and testing new plans.
Specifically, organizations should:
- Conduct training to educate leaders, cybersecurity teams, investors, and other stakeholders on the details of the new SEC disclosure rule.
- Develop efficient procedures to rapidly ascertain the materiality of cyber incidents based on potential impact to the business and investors.
- Test incident response processes through simulations and tabletop exercises. Verify the ability to swiftly gather key details needed for disclosure like the nature, scope, and timing of material incidents.
- Conduct mock disclosures and practice going through the SEC reporting mechanisms under time pressure. This will build muscle memory for responding quickly during actual incidents.
- Perform gap assessments comparing current incident response and disclosure practices against the new regulatory requirements. Identify areas for improvement.
- Make sure the right tools and capabilities are in place to:
- Rapidly detect, investigate and assess materiality of incidents
- Collect the needed forensic data across all environments—including cloud and SaaS
- Document and log series of small incidents and identify when these become a “disclosable” cyber incident
- Test incident response processes through simulations and tabletop exercises. Verify the ability to swiftly gather key details needed for disclosure like the nature, scope, and timing of material incidents.
- Review third-party vendor contracts and incident response plans. Ensure their plans allow your company to uphold SEC disclosure duties or seek partners who
12. How can Mitiga help companies meet the new requirement?
Mitiga provides the capabilities and expert teams that enable enterprises to meet the SEC's new cybersecurity disclosure rule. Mitiga's platform is the industry’s most complete cloud threat detection investigation and response solution. This next-gen approach enables rapid investigation of cyber incidents, which is critical for making timely materiality determinations and disclosure decisions within the 4-day reporting window.
Mitiga gathers the needed forensic data before a breach takes place, and keeps data on hard for an up to three year window. This provides ongoing visibility into threats across an enterprises entire cloud and SaaS estate. It also supports swift investigation into the nature, scope, and timing of cyber incidents. Mitiga's focus on cloud and SaaS environments provides visibility into material incidents affecting third-party systems that fall under the disclosure rule's purview.
In addition, Mitiga’s Managed Threat Hunting provides enterprises with the technology and expert teams to uncover attacks across all their cloud and SaaS. With Mitiga, even if a series of smaller attacks take place, Mitiga can help to connect the dots and ascertain if a material "series of related unauthorized occurrences" has taken place. This situational awareness supports more informed materiality analysis and disclosure creation.
In the critical period during and after an incident, Mitiga's threat hunting can rapidly identify other vulnerabilities that may be exploited in follow-on attacks. This allows companies to determine the full scope of a material incident and put in place containment measures.
Overall, these cloud and Saas breach readiness, managed threat hunting, and incident investigation and response automation capabilities allow organizations to gather details on cyber incidents, evaluate potential materiality, and disclose details to the SEC within the accelerated time frame required under the new regulation. These are invaluable capabilities in today’s threat and regulatory environment.