Wed, Oct 25, 2023

Tackling the 2023 SEC Cybersecurity Rules

John deCraen

Christopher White

The new rules from the U.S. Securities and Exchange Commission (SEC) on reporting mark a significant shift in the requirements for disclosing cyber breaches, leaving many businesses wondering how their cybersecurity practices will be impacted in the long run. These new rules create significant new disclosure obligations for public companies, requiring timely and detailed disclosures of material cybersecurity incidents and periodic disclosures about cybersecurity risk management and governance.

The new guidance, which the SEC passed in July 2023 (the “2023 Guidance”), is an accelerated evolution of its 2018 Guidance and proposes several notable changes. In addition to the new cybersecurity rules, the SEC Division of Examinations released its 2024 examination priorities, which our Compliance team addressed in a separate article

The updates put more demands on already pressured businesses and underpin the importance of having a robust incident response plan plan, a process we identified in businesses with mature cyber practices in our Detection and Response Maturity Model. Alongside these changes, organizations also face preparing for the EU Digital Operational Resilience Act (DORA), which requires all companies across member states to ensure that they can withstand, respond to and recover from Information and Communications Technology (ICT) related disruptions and threats. Like the new SEC rules, this regulation means that businesses must act by carefully reviewing and updating their ICT and information security practices and processes.

In the new rules, the SEC has:

Narrowed the scope of incident disclosure.
Added a limited delay for disclosures that would pose a substantial risk to national security or public safety.
Required certain updated incident disclosure on an amended Form 8-k/6-K (instead of a Form 10-Q/10-K/20-F).
Omitted aggregation of immaterial incidents for the materiality analysis.
Streamlined the risk management, strategy and governance disclosure requirements.
Declined to adopt the proposed requirement to disclose board cybersecurity expertise.

The Detail Behind the Changes

The updated disclosure requirements fall into a couple of key areas: risk management and strategy (regulation S-K Item 106b), governance (regulation S-K Iten 106b), material cybersecurity incidents (Form 8-K Iten 1.05), and foreign private issuers (FPIs) (Form 6-K).

We’ve broken down those fundamental changes below:

Tackling the 2023 SEC Cybersecurity Rules Kroll Cyber Risk

Foreign Private Issuers (Form 6-K)

The rules amend Form 6-K to require FPIs, which are required to furnish such reports, to disclose on Form 6-K material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction to any stock exchange or security holders promptly after the material contained in the report is made public.

Further, there are amendments to Form 20-5, in which FPIs must describe the board’s oversight of risks from cybersecurity threats and also describe management’s role in assessing and managing material risks from cybersecurity threats.

Governance (Regulation S-K Item 106c)

Registrants must be able to describe the Board of Directors’ oversight of cybersecurity and management’s role in assessing and managing material risks from cybersecurity threats.

Material Cybersecurity Incidents (Form 8-K Item 1.05)

Registrants must disclose any cybersecurity incident they experience that is determined to be material and describe the material aspects of its nature, scope, and timing, and the impact or reasonably likely impact. In this context, a material incident is defined as one that has affected or is reasonably likely to affect an organization strategically, operationally or financially. Organizations should also consider qualitative and quantitative factors, such as damage to competitiveness, business reputation, customer relationships and potential litigation or regulatory investigations. We look at materiality in more depth later on.

An Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing as described below if the U.S. attorney general (“attorney general”) determines immediate disclosure would pose a substantial risk to national security or public safety. Registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing.

Risk Management and Strategy (Regulation S-K Item 106b)

Registrants must describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats. They must also explain whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations or financial condition. The SEC recommends enlisting help from third-party cyber experts for drafting, documenting and implementing the strategy.

The Detail Behind the Changes

We’ve broken down those fundamental changes below:

Foreign Private Issuers (Form 6-K)

Governance (Regulation S-K Item 106c)

Registrants must be able to describe the Board of Directors’ oversight of cybersecurity and management’s role in assessing and managing material risks from cybersecurity threats.

Material Cybersecurity Incidents (Form 8-K Item 1.05)

Risk Management and Strategy (Regulation S-K Item 106b)

How the Changes Will Impact Organizations

Under the 2023 Guidance, businesses must disclose the existence of and the key details surrounding a cybersecurity incident within four business days of determining that an incident is material. This requirement will eventually result in a more publicly accessible repository for cybersecurity incidents affecting public companies through SEC filings. While that may not seem significant, there is currently no centralized, permanent record of incidents. News coverage, press releases, notifications and company announcements can become more challenging to find a few months after the event. Most notable trackers are privately held or equally incomplete.

There will be some confusion in the short term as companies evaluate how to address the rules. It wouldn’t be surprising to see companies err on the side of sharing limited information, especially if they are actively responding to an incident.

For now, companies should evaluate the ruling requirements as one of many drivers for public disclosure, on top of GDPR or HIPAA requirements, operational realities in the event of disruptions due to an incident, or individual notification requirements.

Defining a Material Incident

The rules offer little clarity on what makes an incident material. Certainly, in making that determination, it will be necessary to consider how the incident affects the company’s operations, the effects of the incident on the organization’s reputation, whether (and what) data may have been released, the likely time to recover operations, the costs associated with the incident, the need for notifications of affected consumers or customers, state or federal disclosure requirements, and more.

The decision comes down to the company—hopefully in conjunction with counsel—making the determination of whether an incident is material. If a company concludes the incident is not material—and thus doesn’t require an 8-K disclosure—it should be prepared to defend that conclusion against a regulator or lawsuit. Evidence to support the decision of whether an incident is material or not should, therefore, be carefully considered.

The 2023 Guidance and Company Boards

The final rules require disclosing the board’s oversight of risks from cybersecurity threats. However, the SEC abandoned the proposed requirement to disclose the board’s cybersecurity expertise. Still, there is a clear obligation on the part of boards to exercise appropriate oversight of cybersecurity. Some companies question whether the SEC expects robust cybersecurity program oversight by a dedicated cyber committee with cyber experts. While a dedicated cybersecurity committee might not be mandated at this stage, we believe all companies should have reliable cybersecurity expertise available to advise on and/or implement policies and controls.

As with other areas of risk management, the board of directors is expected to take a thoughtful and company-specific approach to determining an effective and appropriate structure for oversight of cybersecurity risk. This should include increasing board-level education on cybersecurity, deep-dive discussions with management, and external programs or presentations from law enforcement and other third-party experts on the threat environment, attack trends and common vulnerabilities.

Responding to the Rule Changes: Key Approaches

When looking at this issue from a long-term perspective, businesses will benefit by keeping the following recommendations in mind, given that a perceived failure to carry out these responsibilities could result in regulatory action or litigation:

Insist on a Periodic Cybersecurity Risk Assessment

This should be documented and updated to stay current. It is useful if the assessment and the cybersecurity program align with major accepted cybersecurity frameworks, like the Cybersecurity Framework from the NIST, the controls from the Center for Internet Security (CIS) or the security and risk frameworks from the International Standards Organization (ISO).

Recognize the Importance of Audit and Compliance

Audit and compliance testing can provide management and the board with an evidence-based evaluation of how well the organization carries out its cybersecurity standards and programs. Without compliance testing, a board may discover that the standards it relied on in its cybersecurity oversight were nothing more than an agreement on paper. Businesses should insist that their evaluations are evidence-based. They should engage specialists independent of the company and its management if they need specialized support.

Don’t Ignore the Issue Until There is a Problem

Companies should approach this issue proactively. It is not a matter of what the board should do when an incident occurs but what it does to help mitigate the risk of incidents occurring. If the board sets standards for cybersecurity oversight, it should ensure those standards are met. Further, it should determine if the board members’ collective cybersecurity knowledge gives them a reasonable ability to independently evaluate the information provided by the company’s management and IT specialists. This area is one in which the board should consider the advisability of enlisting outside help focused on supporting the board’s need to carry out effective oversight beyond the information provided by management.

Responding to the Rule Changes: Key Approaches

Insist on a Periodic Cybersecurity Risk Assessment

Recognize the Importance of Audit and Compliance

Don’t Ignore the Issue Until There is a Problem

Navigating Effective IR and Disclosure Requirements

The more aggressive disclosure timeframe of the new SEC ruling underscores the importance of ensuring that effective disclosure controls and procedures are in place for escalating potentially material events to senior legal and business leaders to achieve accurate and timely reporting.

Companies will need to quickly determine whether an incident is material such that a Form 8-K is required, if disclosure is required, and how to ensure that it meets SEC requirements without compromising the effectiveness of its response or remediation plans.

Helpfully, the 2023 Guidance specifically indicates that companies will not be expected to disclose specific technical information about their incident response or their cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede their response or remediation efforts.

Companies should evaluate their existing disclosure controls and procedures considering SEC’s final cyber rules to:

Identify relevant stakeholders and assign responsibility.
Review existing frameworks for escalating and analyzing cybersecurity-related data.
Prepare an incident response plan that incorporates materiality determinations at an early stage.
Design, implement and test heightened disclosure controls.
Train employees to recognize and escalate issues.

As with the new DORA regulation, having a robust incident response program with a trusted partner is a key step in ensuring a business can disclose a security incident and comply with these new rules. Businesses cannot afford to wait for an incident to ensure compliance; at that point, it will be too late for action. No organization is immune to a material cyber incident. Businesses must be prepared with a strong incident response plan that has been extensively practiced, with multiple scenarios and tabletop exercises.

Improve Cyber Risk Management, Governance and Incident Disclosure in Alignment with SEC Cyber Rules

Tackling the 2023 SEC Cybersecurity Rules

Meeting the new SEC ruling can seem daunting, but organizations can prepare by working with a trusted security partner. Kroll’s virtual chief information security officer (vCISO) and advisory services both available as part of our flexible Cyber Risk Retainer enable companies to safeguard information assets in a way that allows them to adhere to the new SEC rules and other regulatory requirements more effectively. With Kroll’s world-class cyber expertise on their side, organizations can signal to customers and regulators that they have a renewed commitment to data security while enhancing their overall security posture.

While the new SEC rules may cause some initial headaches, they also present a valuable chance for organizations to reset their approach, away from over-reliance on well-worn, familiar ways of working. By embracing the new rules as an opportunity to update their cyber strategy and collaborate with proven security partners, boards can better mitigate the threat of organizational over-confidence.

SEC Division of Examinations Announces 2024 Priorities

The 2024 examination priorities highlight a variety of recurring and new risk areas. Our experts dissect the priorities for investment advisers, registered investment companies and broker-dealers.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Risk

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Cyber Risk Retainer