This year (2024), the United States Securities and Exchange Commission (SEC) is set to implement a new cybersecurity rule that will bring significant changes to the way companies report their cyber-related incidents and risks. This rule aims to standardize disclosures, ensuring that investors receive consistent and comprehensive information about cybersecurity practices and breaches. Companies will need to closely examine their cybersecurity policies, incident response plans, and reporting mechanisms to align with the forthcoming regulatory expectations.
The rule is not just about reporting past incidents; it also requires the disclosure of potential cybersecurity risks that could affect a company's operations or financial condition. This forward-looking aspect of the rule underscores the SEC's intent to provide investors with a broader understanding of the cyber landscape and its implications for the companies they invest in.
Key Requirements for Companies Under the New SEC Rule
This new SEC cybersecurity rule outlines several key requirements that companies must adhere to.
It mandates timely reporting of material cybersecurity incidents. According to The US Securities and Exchange Commission, “Public companies must provide the required cybersecurity incident disclosure within four business days after the company determines the incident to be material [1].” Companies will have to quickly assess incidents to determine materiality and make prompt disclosures if they are deemed significant. The rule also requires companies to disclose their cybersecurity governance practices, including the board's oversight and management's role in addressing cyber risks.
Additionally, you will need to disclose this information via an 8K form filing. This is not to be confused with the 10K annual form filing. The 8K form is specifically for disclosing incidents after they occur, whereas the 10k is the annual report which now must include details describing your cyber program.
While each 10k form may differ depending on the organization requesting the disclosure, you can get a general idea of what they may look like by searching 10k and 8k filings using the Edgar Tool.
Remember, 8K and 10K forms are considered PUBLIC information, so only disclose details of your cyber strategy that are absolutely required by the requesting organization.
We will discuss these forms and best practices more at length in our future blogs. But it is good practice to make yourself aware of what may be required for material disclosure.
Also, companies must describe how they identify and manage cybersecurity risks and discuss the cybersecurity expertise of their board members. The new rule compels organizations to be transparent about their cyber health and preparedness, thus aiming to foster a safer and more resilient corporate landscape in the face of growing cyber threats.
The Role of Materiality in Cybersecurity Disclosure
Material impact serves as a cornerstone in the SEC's cybersecurity disclosure rule. It determines what information a company must disclose to its investors. A 'material' cybersecurity incident is one that is likely to have a substantial effect on the financial condition or operating performance of a company. This definition requires companies to exercise judgment and consider both qualitative and quantitative factors when assessing the severity of a cyber event.
Materiality also plays a pivotal role in the timing of disclosures. Companies must balance the need for prompt reporting with the necessity of gathering sufficient information to ensure accurate and meaningful disclosures. It's a delicate task that requires companies to have robust incident detection and assessment procedures in place.
We have found that organizations that have developed a “Material Scoring Tool” based on the qualitative and quantitative factors described above, while aligned to the organization’s unique situations and environment are generally more successful and faster in the determination of materiality.
Strategies for Compliance with Enhanced Disclosure Obligations
Compliance with the enhanced disclosure obligations of the 2024 SEC cybersecurity rule calls for a proactive approach. Companies are advised to start by evaluating their current cybersecurity posture and incident response plans. They should ensure that their policies are robust enough to identify and manage cybersecurity risks effectively. Developing a clear communication strategy for potential disclosures is also essential.
It's important for companies to establish a cross-functional team that includes legal, IT, cybersecurity, and investor relations experts to handle incident assessment and disclosure. Regular training and simulation exercises can help prepare this team to act swiftly and effectively in a cybersecurity incident. Companies may also consider leveraging external advisors to ensure that their disclosure practices meet the new regulatory standards.
Anticipating the Impact of SEC’s Cybersecurity Disclosure on Investors and Markets
The introduction of the SEC's cybersecurity disclosure rule is expected to have a significant impact on investors and the markets. Enhanced transparency will allow investors to make more informed decisions, potentially influencing their investment strategies. Companies with strong cybersecurity postures and clear disclosure practices may see increased investor confidence, while those with weaker cyber practices might face scrutiny or declining investor trust.
The rule may also prompt a broader shift in market dynamics, as companies may face competitive pressures to improve their cybersecurity measures. This could lead to a more cyber-resilient market environment, benefiting investors, companies, and the economy. As the implementation of the rule approaches, all market participants should prepare for the changes and challenges that lie ahead.
Need Help Enhancing Your Cybersecurity Posture?
Improving your cybersecurity practices and establishing alignment between business and IT initiatives can improve your odds of getting the coverage you need. At IE we specialize in fortifying your defenses and helping you to establish alignment between departments. The cyber threat landscape is ever-changing, and our team can ensure you are prepared. Follow the link below to learn how our vCISO offering can help.
