The new SEC rules introduce a four-day reporting period for material cyber incidents, emphasise the board’s role in managing cyber risks, and require periodic disclosure of risk management processes. But some things remain ambiguous – what, for instance, constitutes a material cyber incident?
Some history:
- The SEC started focussing on cybersecurity in 2011, providing guidance on cybersecurity disclosures. In 2018, they published interpretive guidance that did not create new obligations but emphasised the importance of policies and processes of cyber risk management.
- The final rule in 2023 represents a significant step in the SEC’s requirements for publicly traded companies in the US: it provides clearer guidance on periodic disclosures of cyber risk management and a new timeline for when material incidents need to be disclosed.
The new rules: A simplified breakdown
- The new rules require publicly traded companies to disclose material incidents within four business days. In the case of a material incident, the company must describe the nature, scope, and timing; and the impact (or likely impact) on the company’s financial condition and operations. The company must also disclose whether the incident has affected the business strategy, including changes in its governance, policies, procedures or technologies.
- The rules also require that public companies describe their cybersecurity risk management, including the board’s role in cyber risk oversight. On a periodic basis, the company should describe how it assesses, identifies and manages material risks from cybersecurity threats. The board’s role in cyber risk oversight must, from now on, also be described alongside any specific board committee or subcommittee tasked with overseeing cyber risk.
The four-day disclosure requirement and the issue of defining materiality:
- The four-day disclosure requirements will put additional emphasis on crisis response processes and cyberattack exercises.
- Importantly, the four-day timeline starts at the time of the incident discovery, not when attackers initiated the intrusion.
- One big challenge remains how to determine the materiality of an incident. The SEC itself defines materiality as there being a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision. The SEC indicated including qualitative factors, such as the harm to reputation, customer or vendor relationships, or competitiveness.
What does the new guidance mean for businesses?
- For board members, the new rule highlights the need to receive regular updates on the company’s cybersecurity risk exposure and the measures in place to manage it.
- For executives, the new rules require closer integration between legal teams, cybersecurity teams, and business executives.
- For cybersecurity teams, the rule emphasises the need for an effective crisis response plan that includes steps to determine the materiality of an incident.
The SEC rules provide guidance for public companies, but they leave room for interpretation. How the SEC will enforce the new rules is yet to be determined – it’ll require a few publicly traded companies to go through the experience of a “material incident.”