What We Know About The SEC’s New Cyber Disclosure Rule

As cyber threats escalate in frequency and severity, IT and security teams face increased pressure to maintain transparency. With this in mind, the US Securities and Exchange Commission’s (SEC) Cyber Disclosure Rule, released on 26 July 2023, mandates timely and detailed public disclosures about cyber incidents.

This rule places a heavy burden on chief information security officers (CISOs), chief information officers (CIOs), and chief technology officers (CTOs), insisting that they manage threats and communicate critical information to investors, stakeholders, and regulators in a manner compliant with SEC requirements.

Let’s take a closer look at the SEC’s new cyber disclosure rule and what security and IT professionals need to do to prepare for this new era of cyber transparency.

A New Challenge for CISOs and CIOs

The SEC’s Cyber Disclosure Rule changes the way companies handle cyber incidents. Mitigating a breach sotto voce behind the scenes is no longer enough. Now, entities must publicly disclose material cyber incidents and provide specific information about their governance and risk management processes.

The SEC defines a “material” incident as one “to which there is a substantial likelihood that a reasonable investor would attach importance.”

The SEC’s rule introduces specific requirements for public companies in three key areas: governance, risk management, and incident reporting.

1. Enhanced Governance and Strategy Disclosures: Firms must disclose their process for assessing, identifying, and managing material cybersecurity risks, including whether the overall risk management program incorporates cybersecurity, the role of third-party consultants, and the impact of cyber risks on business strategy, operations, and financial health. Effective incident disclosure relies on close collaboration between IT, finance, legal, and risk teams. CISOs must ensure that technical details are translated into meaningful insights for business leaders, legal advisors, and financial stakeholders—coordination is essential to determine if an incident is “material” and requires SEC disclosure.
2. Coordination Across Departments: Effective incident disclosure cannot happen without close collaboration between IT, finance, legal, and risk teams. CISOs must confirm that technical details are translated into meaningful insights for business leaders, legal advisors, and financial stakeholders—coordination is vital for establishing whether an incident is “material” and needs to be disclosed in an SEC filing.
3. Timely Incident Reporting: CISOs and CIOs must ensure that cyber incidents are escalated to the appropriate stakeholders swiftly, as the SEC requires material cyber incidents to be reported within four business days of determining their material impact. Companies must disclose the nature, scope, timing, and impact on business operations. This reporting process can be challenging, as incident details may be incomplete or evolve over time, requiring companies to amend their reports as new information becomes available. This tight deadline will test any company’s ability to detect, assess, and communicate complex cyber events across multiple teams.

Key Dates for Compliance

• Governance, Risk Management, and Strategy Disclosures: These requirements took effect for fiscal years ending on or after 15  December 2023.
• Cyber Incident Reporting: The material incident disclosure requirements took effect on or after 18 December 2023. Smaller reporting companies (ones with less than US$250 million in stock owned by public investors or entities with less than $100 million annual revenue and less than $700 million in stock owned by public investors) have an additional 180 days to comply.

The Cost of Non-Compliance

While the SEC has yet to specify exact penalties for breaching the new rules, its enforcement authority remains extensive. Fines may soar as high as $25 million, with additional disruptive measures possible, such as cease-and-desist orders or the suspension of trading rights.

More troubling still is the heightened risk of lawsuits from investors or stakeholders if companies fail to disclose significant cybersecurity incidents. The SEC’s rules offer a robust foundation for activist investors to hold companies accountable for any lapses in meeting their obligations.

The SEC has shown its teeth plenty of times before. Most recently, it censured four organizations with fines for misleading disclosures around the SolarWinds hack. Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement, said in a statement: “As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered.”

How to Prepare for the SEC’s Cyber Disclosure Rule

The new rule raises several critical questions for IT and security practitioners. How can they ensure they accurately determine materiality in the event of an incident? What can they do to limit their exposure to compliance risks?

Even if a compliance plan is already in place, there are three key steps CISOs, CIOs, and CTOs should take to ensure readiness.

Assess Your Cyber Risk Posture

The first step is to verify that your business’s cybersecurity management program aligns with the SEC’s final rule. This means understanding your cyber risk posture and determining whether the program is able to deliver on its mission while meeting the SEC’s disclosure requirements. Even entities that are sure they have robust cybersecurity measures may need to make improvements to support more stringent disclosures. Understanding how your practices compare to peers and competitors is also important once consistent, comparable disclosures are made public.

Establish a Materiality Framework

Determining the materiality of a cyber incident is a joint effort across departments. Establish a structured process that involves legal, finance, and risk management teams to make consistent materiality judgments. Develop a clear materiality policy that defines thresholds and affirms that incident attributes and metadata are tracked accurately. This process will allow your company to assess and disclose cyber incidents as they arise.

Working closely with stakeholders like the CFO and general counsel, create a materiality framework that captures necessary data for reporting. This framework should be flexible enough to account for the complexity of cyber incidents, including those with long-term impacts or multiple related incidents. Establishing clear guidelines for what constitutes a material cyber incident will help your team navigate these challenging decisions.

Strengthen Internal Communication and Collaboration

CISOs and CIOs need to form the center of a multi-functional team charged with SEC disclosures. This team should include representatives from finance, legal, risk, and investor relations to ensure that incident information is communicated effectively and efficiently across the business.

• Board and CEO: Make sure that both the board and CEO receive concise, actionable data about cyber risks and incidents. The board will need to assess how cyber incidents could impact the company’s overall risk profile, while the CEO will focus on ensuring that the company meets its obligations under the new SEC rule.
• CFO: Work closely with the CFO to produce investor-grade information during a cyber incident, particularly when determining materiality and its impact on financial health.
• Internal Audit: Coordinate with internal auditors to assess the firm’s cybersecurity controls and see that the entire organization is equipped to respond to cyber incidents and generate the required disclosures.

Upping the Ante

The SEC’s new Cyber Disclosure Rule definitely raises the stakes for entities when it comes to incident reporting and transparency. IT and security teams will have to verify that their organizations comply with these new requirements.

The clock is ticking. Companies who are not already prepared must prepare now. Assess risk postures, set out materiality frameworks, and build strong internal communication networks. By doing so, CISOs and CIOs can position their companies to meet the SEC’s expectations and avoid hefty penalties for non-compliance.