Editor’s note: The following is a sponsored blog post from Hyperproof:
It’s a long-awaited announcement: the U.S. Securities and Exchange Commission (SEC) has finally adopted its proposed cybersecurity disclosure requirements after over a year of delays. These disclosure requirements are going to significantly change the way companies operate, which is leaving many cybersecurity, risk management and compliance management professionals with a lot of questions. Let’s answer them.
What’s changing?
The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material. Registrants must also describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or likely material impact on the registrant.
How long do registrants have to disclose a material incident?
Companies must disclose a material cybersecurity incident within four days of recognizing its significant impact on investors. The timing here is important, as it doesn’t come into effect from the occurrence of the breach, but when a company’s legal team classifies it as material. This timeline allows for potential delays in reporting incidents, provided the company obtains written approval from the U.S. Attorney General under special circumstances related to public safety or national security.
Why only four days?
The SEC believes this tighter deadline will help protect investors from the financial risks posed by cybersecurity incidents by giving them more timely data on the impact of material cybersecurity incidents. In specific circumstances, the disclosure may be delayed for national security reasons or to safeguard police investigations. Additionally, companies won’t be penalized if they don’t report an incident and have a reasonable basis for believing that the incident is not material.
What exactly qualifies as a “material cybersecurity incident?”
A material cybersecurity incident is one that is likely to have a significant impact on the company’s business, financial condition or operations. Breaches are on the rise, too: Hyperproof’s 2023 IT Compliance and Risk Benchmark Report found that 1 in 2 companies managing risk ad-hoc or in siloed departments experienced a material breach in 2022.
What exactly do I need to disclose?
In the case of a material cybersecurity incident, companies must disclose the following:
- The nature of the incident
- The impact of the incident
- Steps taken to address the incident
- The company’s policies and procedures for managing cyber risks
Companies also need to disclose which strategies they use for handling cybersecurity risks, including:
- Describing processes for assessing and managing material risks from digital threats
- Detailing the effects of previous cybersecurity incidents and potential future risks
- Discussing board oversight and management’s role and expertise in handling cybersecurity risks
Additionally, public companies must disclose information about how their board oversees cybersecurity risk, including information on how experienced the board is with understanding cybersecurity. The regulations apply to both domestic and foreign private issuers, requiring similar disclosures on different forms for material cybersecurity incidents and for cybersecurity risk management.
When do these changes go into effect?
The final requirements went into effect on 5 September 2023. CISOs and board members should start preparing now to ensure their companies are in compliance with the new rules. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after 15 December 2023.
The Form 8-K and Form 6-K disclosures will be due on 18 December 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.
What’s the overall impact on my business?
Public companies will have to change a lot of their processes to adhere to these new requirements, including carefully evaluating the information they disclose about cybersecurity incidents. Those that don’t comply could face investor lawsuits, SEC enforcement actions and reputational damage.
So, how can you prepare? First, you’ll need to educate your board members quickly about cybersecurity risk. SaaS platforms like Hyperproof can be leveraged to help with this process so your board understands your risk posture and how risk is mitigated at your company. Your board should also have complete visibility into your company’s controls and how they are linked to your risks, as well as fast and easy reporting to understand where you stand at a glance. Ultimately, CISOs and board members will need to be in much closer contact moving forward, which brings its positives and negatives. But one upside is that CISOs will now have a bigger seat at the boardroom table to showcase the importance of their work.
About the author: Kayne McGladrey, CISSP, is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member, and focuses on the policy, social, and economic effects of cybersecurity lapses to individuals, companies, and the nation.