New SEC Requirements for Cybersecurity Disclosures
- September 19, 2023
- Canary Trap
In response to the undeniable rise of cybersecurity risks, the huge financial costs, and the negative impact companies, organizations, and even national governments have experienced after major cyber attacks, the new rules adopted by The Securities and Exchange Commission (SEC) seek to address the lack of standardization regarding disclosure.
The new regulations adopted by the SEC require registrants to disclose significant cybersecurity incidents, as well as annually disclose pertinent information about their cybersecurity risk management, strategy, and governance. Comparable disclosure requirements have also been mandated for foreign private issuers.
What Does This New Regulation Entail?
According to a report from U.S. News, “The Securities and Exchange Commission adopted rules […] to require public companies to disclose within four days all cybersecurity breaches that could affect their bottom lines. Delays will be permitted if immediate disclosure poses serious national security or public safety risks. The new rules […] also require publicly traded companies to annually disclose information on their cybersecurity risk management and executive expertise in the field.”
Under the new rule, registrants are required to report material cybersecurity incidents using a newly introduced form, Item 1.05 of Form 8-K. The disclosure should detail material aspects such as the incident’s nature, scope, and timing, as well as its impact—or likely impact—on the registrant. Additionally, a new Regulation S-K Item 106 was introduced, which requires registrants to elaborate on their procedures for identifying and managing cybersecurity risks.
The requirement extends to detailing the board of directors’ oversight and the management’s capabilities in assessing and managing these material risks. These disclosures will be mandatory in a registrant’s annual Form 10-K report.
Foreign Private Issuers and Annual Reports
Foreign private issuers are also not exempt. They will be required to provide similar disclosures, specifically on Form 6-K for material cybersecurity incidents, and on Form 20-F for cybersecurity risk management, strategy, and governance.
For annual reports, compliance is due for fiscal years ending on or after December 15, 2023. The timeline for Form 8-K and Form 6-K disclosures was 90 days post-publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they are obliged to begin submitting the Form 8-K disclosures. Further, all registrants must tag these new disclosures in Inline XBRL one year after initial compliance with the new disclosure requirements.
The final rules became effective September 5th, which means that in regards to Item 106 of Regulation S-K and Item 16K of Form 20-F, all companies must provide the required disclosures beginning with annual reports for fiscal years ending on or after Dec. 15, 2023.
With respect to compliance with the incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K, all companies other than smaller reporting companies must begin complying Dec. 18, 2023. Smaller reporting companies must begin complying with new Item 1.05 of Form 8-K by June 15, 2024.
With respect to compliance with the structured data requirements, all companies must tag disclosures required under the final rules in Inline XBRL beginning one year after the initial compliance date. As a result: (i) for Item 106 of Regulation S-K and Item 16K of Form 20-F, all companies must begin tagging responsive disclosures in Inline XBRL beginning with annual reports for fiscal years ending on or after Dec. 15, 2024. On the other hand, for Item 1.05 of Form 8-K and Form 6-K, all companies must begin tagging responsive disclosures beginning Dec. 18, 2024.
Key Terms as Described by the SEC
The disclosure reports of these new regulations should include important terms that organizations should become familiar with:
- Cybersecurity Incident. It’s an unauthorized occurrence, or a series of related unauthorized occurrences, conducted through a company’s information systems that jeopardizes the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.
- Cybersecurity Threat. It refers to any potential unauthorized occurrence conducted through a company’s information systems that may also result in adverse effects on the confidentiality of their systems and data.
- Information Systems. That means any electronic information resources owned or used by the company, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of the company’s information to maintain or support the company’s operations.
- Material. It refers to any incident where there is a substantial likelihood that a reasonable shareholder would consider it important when it comes to making an investment decision. This is not black and white and as such, there is no easy rule to follow.
The reality is that most companies will have to follow this regulation without really being prepared. Sumo Logic’s CSO, George Gerchow, mentioned: “We are trying to understand what a ‘material incident’ means, but it’s still too ambiguous. Furthermore, there is very little guidance on how companies should handle third-party attacks. Supply chain attacks are on the rise and add another layer of complexity to reporting the full nature and scope of an incident.”
How Should You Prepare for the Requirements?
Now that the new rules have come into effect, the landscape of disclosure practices for many companies will have to suffer a significant change. In order to keep in compliance with the new regulations, public corporations will need to take several specific actions:
- Refine their incident response policies to include a well-defined escalation pathway for incidents to reach corporate leadership or a dedicated disclosure committee. Additionally, they should establish disclosure controls to accurately evaluate the impact of cybersecurity incidents on the organization.
- Develop a framework that enables a quick materiality assessment following the discovery of a cybersecurity incident. This will facilitate timely decision-making about whether the SEC’s disclosure obligations are triggered.
- Update or create disclosure controls that streamline the reporting of significant cybersecurity incidents. This should encompass details such as the incident’s nature, scope, and timing, as well as its immediate or likely impact on the organization. This should be done within the four-business-day window as stipulated by the new Item 1.05 of Form 8-K. Also, any data not available or determined at the time of the initial Form 8-K filing should be included.
- Incorporate new disclosure elements into the company’s annual report. These should outline the organization’s methods for assessing, identifying, and managing key risks associated with cybersecurity threats. Furthermore, the disclosures should discuss whether such threats have had or are expected to have a material impact on the company’s strategy, operational results, or financial standing. They should also shed light on the board’s role in overseeing cybersecurity risks and how management is involved in assessing and managing these risks
Is Four Days Enough Time?
Concerning the four-day reporting timeframe, it’s important to clarify that the clock starts ticking not upon the discovery of the incident, but once its materiality has been established.
Moreover, this reporting requirement is separate from any state-level data breach notification laws. Even if state laws permit delayed notifications, such allowances do not supersede the SEC regulations. As a result, organizations must be mindful of their obligations under all applicable laws regarding breach notifications.
In every situation, companies should maintain a detailed timeline to demonstrate that materiality determinations were made promptly. Careful documentation is necessary, including the dates when information was initially received, assessed, updated, and ultimately determined to be material.
It is advised that existing incident response protocols be revised to specify who bears the responsibility for making disclosures, and under what circumstances an incident is considered material either on its own or in conjunction with other incidents.
It is recommended to review communication procedures to guarantee rapid notification to organizational leaders, board members, and other stakeholders. One useful strategy is to benchmark your company’s cybersecurity program against a peer organization. This can offer valuable insights, especially considering that investors are likely to make similar comparisons to assess the adequacy of your cybersecurity measures. An additional best practice is to reevaluate contracts with third-party vendors to ensure they have mechanisms in place for swift and effective cyber incident reporting.
Organizations need to strike a delicate balance in their reporting obligations, since over-reporting could inadvertently introduce additional risks and complexities, a concern that has been voiced as a critique of the new SEC regulations.
Impact for Canadian Issuers
Canadian issuers who are eligible for the Multi-Jurisdictional Disclosure System (MJDS) can rely on Canadian disclosure standards to meet the SEC’s registration and reporting requirements. Consequently, the SEC did not alter the Form 40-F annual reports for MJDS issuers. The only amendment made to Form 6-K is the inclusion of material cybersecurity incidents as an event that might necessitate the filing of the form.
Canadian law firm Osler highlighted in an article that “a key difference between the U.S. and Canadian approaches is the SEC mandates the filing of a Form 8-K within four business days of determining that the cybersecurity incident is material whereas, under Canadian securities law and stock exchange requirements, a press release is required to be issued forthwith upon determining that the cyber breach is material.
The SEC provides guidance on how issuers should make materiality determinations in assessing when a material cybersecurity incident has occurred. If the new rules are seen as improving the quality and timeliness of disclosure on cybersecurity matters for U.S. securities law purposes, they will likely influence the approach to making materiality determinations for Canadian securities law purposes.”
In Canada, companies are generally obligated to immediately issue a news release detailing the nature and specifics of any material changes, including cybersecurity incidents. The Toronto Stock Exchange has a similar requirement. In contrast, U.S. domestic issuers are mandated by the Rules to file Form 8-K within four business days after determining the materiality of a cybersecurity incident.
While Canada’s securities laws don’t yet include specific guidelines for cybersecurity disclosures, the Canadian Securities Administrators (CSA) did publish a notice in 2017 that outlines some disclosure expectations. The CSA continues to monitor trends and review the adequacy and timing of cybersecurity reporting. With the SEC’s recent adoption of Rules around cybersecurity, it is plausible that this could influence Canadian reporting practices in the future.
Given this evolving landscape, companies should take steps to implement robust cyber risk management programs capable of rapidly identifying, managing, and responding to cybersecurity risks. Efficient communication protocols should also be established, alongside regular training and expertise development in cybersecurity matters.
Lastly, it’s crucial to understand that these Rules are separate from any data breach reporting obligations under Canadian private-sector privacy laws, including Federal and Quebec laws. Therefore, companies must be diligent in fulfilling all regulatory requirements, both in the U.S. and Canada.
The new SEC rules are putting spotlight on reporting as well as incident response. Before taking steps to adopt new standards, it’s essential for an organization to have an in-depth grasp of its existing cybersecurity infrastructure and posture. Questions to consider include: Are the current security policies up-to-date? What are the mechanisms for their management, implementation, and enforcement?
Based on the outcomes of a comprehensive risk assessment, organizations should choose and implement appropriate controls. Even after these controls are operational, a level of “residual risk” will persist, necessitating the need for an early detection system to monitor for potential breaches.
Additionally, security teams should engage in tabletop exercises to rehearse and refine their incident response procedures. Such exercises also ensure that the team can disseminate vital information within the mandated timeframes.
Being adequately prepared for cybersecurity threats is a foundational element in the effectiveness of any incident response program. The new rules will make it important that companies are aware of what needs to be reported and when.