Transparency in the disclosure of cybersecurity incidents for public companies is no longer good practice – it’s now a regulatory necessity. The imminent requirement for public companies to disclose current material cybersecurity incidents is set to reshape the disclosure landscape for public companies. It brings forth a myriad of considerations that Chief Information Security Officers (CISOs) and cybersecurity professionals need to be aware of.
In this blog, I’ll dissect the important nuances of the rule and outline five key things things that CISO’s need to know about the SEC’s cybersecurity disclosure requirements – particularly focusing on the incident disclosure requirements. From the SEC’s definition of what constitutes a cybersecurity incident, it’s effective date, and the impact on existing disclosure requirements, these are the key facts and vital information needed to navigate this new regulatory terrain.
1. Applicability and Effective Date of the SEC Cybersecurity Disclosure Rules
The rule applies to public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Public companies, irrespective of their size, must:
- disclose material cybersecurity incidents and,
- provide regular disclosure on cybersecurity risk management and governance processes in a more standardized manner.
The final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Response was released by the SEC on July 26, 2023. The final rule became effective on September 5, 2023. Phased enforcement of specific regulations begins in December 2023 as laid out in Table 1 below.
| Type of Disclosure | Effective Date | Applicability |
| Annual disclosure on cybersecurity risk management processes (Item 106 of Regulation S-K and item 16K of Form 20-F) | December 15, 2023 | All public companies |
| Material Incident Disclosures (Item 1.05 of Form 8-K and in Form 6-K) | December 18, 2023 | Public companies (excluding smaller reporting companies) |
| December 18, 2023 | Foreign Private Insurer filing on Domestic Forms | |
| June 15, 2024 | Smaller reporting companies | |
| Responsive annual disclosure in Inline XBRL (Item 106 of Regulation S-K and item 16K of Form 20-F) | December 15, 2024 | All public companies |
| Responsive material incident disclosure in Inline XBRL (Item 1.05 of Form 8-K and in Form 6-K) | December 18, 2024 | All public companies |
As CISOs gear up for compliance, it’s imperative to note the various compliance of the rule’s effective compliance enforcement dates above, particularly the imminent requirement for disclosure of Material Incidents.
2. Definition of a Cybersecurity Incident
As the SEC Cyber Disclosure Rule comes into focus, one of the central concepts that CISOs must grapple with is the nuanced definition of a “cybersecurity incident” laid out by the SEC. Understanding this definition and its implications is crucial for accurately gauging reporting obligations and ensuring compliance post incident.
Cybersecurity incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
https://www.sec.gov/files/rules/final/2023/33-11216.pdf
Breaking down the definition into various elements is important to highlight the broadness of this definition.
Cybersecurity incidents means….
| an authorized occurence, or a series of related unauthorized occurrences, | The focus on unauthorized occurrences, including related occurrences ensures that this definition is not limited to malicious attacks or threats, but includes every occurence or event that was unauthorized and ensures they must be assessed in isolation and in aggregate. |
| on or conducted through a registrant’s information systems | It is further clarified that the occurence can be on or conducted through the organization’s systems. This could require organizations to consider network based events. |
| that jeopardizes | The use of the word jeopardizes expands the assessment from actual impact to potential impact from the unauthorized occurence. This is particularly important when considering the materiality of the incidents. |
| the confidentiality, integrity, or availability | The inclusion of the three tenets of security (Confidentiality, Integrity or Availability), ensures that the definition encompasses a wide range of cyber threats, from data breaches and ransomware attacks to system disruptions and unauthorized access, credential compromise, as well as unauthorized changes to systems or data. |
| of a registrant’s information systems | Hidden within this scope is a defined term for information systems that clearly indicates it is not only resources that are owned, but also used by the registrant. Crucially, this expands the rule beyond a company’s internal systems. CISOs need to consider not only the security of their own infrastructure but also the potential impact on or from third-party systems used by the registrant. |
| or any information residing therein. | The inclusion of any information residing on systems means that any data accessible on the systems in scope should be considered. |
The expansive definition of a cybersecurity incident reflects the dynamic and evolving nature of cyber threats. CISOs should adopt a proactive stance, continuously reassessing their cybersecurity posture and incident response capabilities to align with this broad definition.
3. Impact on Existing Cybersecurity Disclosure Requirements
As CISOs delve into the intricacies of the SEC Cyber Disclosure Rule, a critical aspect to navigate is how this regulation interfaces with existing disclosure requirements. The SEC Cyber Disclosure Rule enhances and supplements existing disclosure obligations rather than replaces them.
Public companies must still adhere to their pre-existing disclosure obligations under securities laws, privacy laws, CIRCIA and other regulations. The new rule acts as a complementary framework, specifically addressing the unique challenges posed by cybersecurity and particularly cybersecurity incidents. CISOs must carefully assess these additional requirements and integrate them seamlessly into their existing disclosure processes. This may involve enhancements to incident response plans, communication strategies, and collaboration with legal and compliance teams.
5. Cybersecurity Incident Disclosure timeframe
The clock for disclosing an cybersecurity incident begins ticking once an organization determines that a cybersecurity incident is material. Within four business days, a registrant must file an Item 1.05 Form 8-K with the SEC. This timeframe can be relaxed in exceptional circumstances. Most notably, the SEC rule indicates that in situations where the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety, registrants may delay filing.
Given this tight timeframe, swift action is paramount. Organizations can not delay making a determination of materiality to avoid disclosure. The SEC specifically cautions against “unreasonable delay.” More interesting however is the potential for cybercriminals to weaponize the SEC whistleblower rules. In fact, We have already seen an example of a ransomware group breaching a company, and reporting them to SEC for failure to disclose.
“We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules (SEC 106). It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.”
https://www.databreaches.net/alphv-files-an-sec-complaint-against-meridianlink-for-not-disclosing-a-breach-to-the-sec/
The disclosure journey also doesn’t end with the initial filing. Amendments to prior disclosures must be made to include any information that was not determined or was unavailable at initial filing. This continuous disclosure ensures that stakeholders receive comprehensive and up-to-date information as the incident unfolds and more details become available.
4. Limited to Material Cybersecurity Incidents
The limitation of disclosure to cybersecurity incidents determined to be material stands as a linchpin for CISOs when evaluating whether to disclose a cybersecurity incident. Rather than attempting to define a prescriptive statement of what a material cybersecurity incident could be, the SEC wisely wisely defaulted to the precedents set in cases such as TSC Industries Inc., Basic Inc., and Matrixx Initiatives Inc.
The SEC Cyber Disclosure Rule underscores that information about a cybersecurity incident is deemed “material”, if there is a substantial likelihood that a reasonable shareholder would consider it important when making an investment decision. Material information, as per these precedents, is that which could significantly alter the “total mix” of information available to shareholders. While the Final Rules reference “financial condition and results of operations” as one of the tests for materiality, it is essential to recognize that financial metrics alone do not encapsulate the entirety of material information. CISOs should expand their assessment to encompass qualitative impacts that extend beyond the balance sheet.
Determining Materiality
Materiality in the cybersecurity context may manifest in various qualitative impacts, broadening the scope of what is considered significant. Beyond financial metrics, considerations may include:
- Possibility of Litigation or Regulatory Investigations: The potential for legal or regulatory actions can be a crucial factor in determining materiality.
- Reputational Harm: Any adverse effects on the company’s reputation may be material, given the increasing importance of intangible assets.
- Impact on Customer or Vendor Relationships: Materiality extends to relationships with stakeholders, encompassing customers, vendors, and partners.
- Competitiveness: Any cybersecurity incident is considered material, if it affects a company’s competitive position in the market .
Regardless of the approach used to determine materiality, it is essential that organization have proactively defined and documented their policies and practices for determining materiality, considering both quantitative and qualitative measures. Understanding what makes an incident material requires a comprehensive approach to quickly assess quantitative and qualitative measures against predefined thresholds of materiality, including :
Quantitative Measures:
- Number of Customers, Systems, and Employees: Evaluate the scale of potential impact by quantifying the number of customers, systems, and employees that could be affected.
- Revenue at Risk: Assess the financial implications by determining the revenue at risk in the event of a cybersecurity incident.
- Amount of Information at Stake: Quantify the amount of information that could be impacted, considering the sensitivity and criticality of the data.
Qualitative Measures:
- Materiality of Each Customer or Supplier: Define the materiality of each customer or supplier, considering their significance to the organization’s operations and relationships.
- Materiality of Each Type of Incident: Categorize incidents based on their type and define the materiality threshold for each category.
- Materiality of Each System: Assess the criticality of each system within the organization, establishing materiality criteria for potential impacts.
The underlying principle is clear. Inform shareholders and the public as quickly as possible to make informed investment decisions.
Preparing for the Seemingly Inevitable Now
It is clear that organization’s now have limited time to prepare. To meet the stringent timelines outlined by the SEC Cyber Disclosure Rule, organizations should already have :
- Clearly determined thresholds for Materiality: CISO’s must have clearly defined, documented and approved thresholds for determining materiality. These should encompass factors such as the number of customers impacted, revenue at risk, and the materiality of each incident type, provides a proactive foundation for CISOs to navigate the complexities of disclosure.
- Predefined Incident Response Plans: Have well-defined incident response plans in place, outlining clear workflows for identification, containment, and reporting.
- Collaboration and Coordination: Foster collaboration between cybersecurity, legal, and communication teams to ensure a unified response strategy.
- Technological Preparedness: Leverage technology for early detection and response. In addition, invest in measures to determine the potential materiality of an incident. Newer technologies like data security posture management and data detection and response hold promise in reducing delays in gathering evidence. The reliance on self-determination places a unique burden on CISOs to substantiate decisions regarding the materiality of each incident. Gathering evidence becomes paramount, requiring CISOs to methodically prove how they determined an incident to be non-material. This evidentiary trail is not a one-time task; rather, it necessitates constant refreshment as new insights and costs emerge. Organizations must be able to swiftly determine the potential impact of a breach, even from the compromise of a single account.
- Tested their approach in a table top exercise: Plans must be tested before they are used.
The path forward is clear: proactive preparedness, a nuanced understanding of materiality, and a commitment to transparent communication. CISOs are not just guardians of data but increasingly stewards of organizational resilience and stock market transparency.
