SEC cybersecurity disclosure requirements: Some context
The driving force behind these new rules is twofold. For one, as part of a larger effort to improve the cybersecurity stance of organizations in the United States, the federal government recently has increased the reporting requirements for cyber incidents. For example, in November 2021, the Board of Governors of the Federal Reserve System (Fed), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corp. (FDIC) issued a final rule, “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers.” In March 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
Secondly, because cybersecurity breaches directly affect shareholders, the SEC has proposed new rules to require public companies to report material cybersecurity incidents. Breaches often lead to major losses in productivity and costs in order to fully restore functionality. Additionally, if confidential customer information is stolen, companies must offer expensive identity protection services to compromised customers. Cybersecurity attacks can also impact company shareholders. For example, the Capital One security breach in 2019 resulted in an immediate 6% drop in stock prices, and totaled a nearly 14% drop within two weeks.
New reporting expectations
The proposed SEC cybersecurity disclosure requirements apply to all public companies subject to the reporting requirements of the Securities Exchange Act of 1934. Foreign private issuers also would be subject to the proposed rules.
One of the most consequential aspects of the proposed rules relates to the disclosure of cyber incidents. Organizations would be required to disclose cyber incidents within four days of determining that the organization has experienced a material incident. Assessing materiality of cyber incidents can be challenging. Precedence for determining materiality exists, however, based on several Supreme Court decisions, including TSC Industries, Inc. v. Northway. In Staff Accounting Bulletin No. 99, the SEC approaches materiality this way: “Materiality concerns the significance of an item to users of a registrant's financial statements. A matter is ‘material’ if there is a substantial likelihood that a reasonable person would consider it important.”
In the context of cybersecurity events, materiality can be interpreted to include events that are determined to pose some harm to the company or its investors. Determination of materiality requires companies to analyze each cyber incident and to consider the total mix of information available to its investors. Events that could be material include, but are not limited to, incidents such as:
- A breach, regardless of intention, of a company’s established security policy that leads to some sort of liability to the organization
- An event that damages an organization’s reputation, products, or services
- A breach that results in the organization needing to make direct monetary contribution either in the form of restitution to those affected or to the perpetrator in the form of extortion demands
- Any event that results in unauthorized access, damage, or loss of control to an information system that is critical to business
In addition to new time constraints for reporting material cybersecurity incidents, the proposed SEC cybersecurity disclosure rules would require several key pieces of information, including:
- When the incident was discovered and whether it is currently ongoing
- The nature and scope of the cybersecurity incident, including affected business units and compromised systems
- Details on whether data was stolen, altered, accessed, or used by an attacker
- Whether the vulnerabilities that allowed the incident to happen have been remediated
- How and which cybersecurity policies and procedures have been changed in order to prevent a similar breach
Organizations would be required to provide updates on past disclosures of cybersecurity incidents if there are material changes, additions, or updates related to the incident.
For example, if a previously disclosed cybersecurity breach exposed specific customer information and then later it was determined that more customer information was stolen, the organization would have to provide an update regarding the breach in their next report. Such updates would be disclosed in the regular annual or quarterly reports in the year or quarter in which the organization learned of the additional impact of the breach. If multiple previously undisclosed cybersecurity incidents become material in the aggregate, these incidents must also be disclosed to shareholders in the report for the period in which the registrant determines the incidents are material in the aggregate.
Although organizations have to collect and disclose a significant amount of information in the event of a material cyber incident, the SEC does not require that technical details regarding specific systems involved in the cybersecurity program be reported.
Additions to regular disclosures
Under the proposed cybersecurity disclosure requirements, annual and quarterly disclosures would require information related to an organization’s cybersecurity policies, procedures, and governance. For example, proposed risk management and strategy disclosures include certain details regarding the company’s cybersecurity policies and procedures, whether the company has a cyber risk assessment program, including whether third-party assessors are evaluating the company’s cybersecurity stance, and whether the company undertakes cybersecurity risk mitigation activities. Other proposed risk management disclosures include whether and how cybersecurity risks or previous incidents are considered in the company’s strategies, financial planning or results, and capital allocation.
The proposed governance disclosures address activities of both the board of directors and management. For example, proposed board governance disclosures include the board members or board committee responsible for oversight of cybersecurity risk, how frequently the board is informed about cybersecurity risk, and how the board incorporates cybersecurity risk into its oversight role. Companies also would need to disclose whether a member of the board of directors has cybersecurity expertise and, if so, the name of the board member and their specific expertise.
Proposed management-related governance disclosures cover how management assesses and addresses cybersecurity risk, including how management implements the company’s cybersecurity policies, procedures, and strategies. The proposed rules also would require disclosure of whether the company has appointed a chief information security officer (CISO), or someone in a comparable position, and their relevant expertise. Additionally, information about how the CISO or comparable position receives and monitors information about cybersecurity risks and incidents and whether or how often the position reports to the board of directors must be disclosed.
The proposed rules specify that the disclosures must be provided using Inline XBRL, a format that combines human-readable text and machine-readable data into a singular file.
What public companies can do now
Overall, the proposed SEC cybersecurity disclosure requirements emphasize transparency of cybersecurity practices and how cybersecurity is incorporated into current business models. Public companies can take specific actions to prepare for the SEC’s proposed new reporting requirements. First and foremost, organizations should prioritize implementing holistic cybersecurity programs that demonstrate the integral role cybersecurity plays in their business models.
Additional steps public companies can take now include:
- Identifying gaps and vulnerabilities in the organization’s cybersecurity approach to mitigate risks before they materialize into an actual cybersecurity event
- Considering whether the entity’s board should include a cybersecurity specialist or whether the entity should appoint a CISO
- Evaluating the entity’s current cybersecurity reporting structure, including how cybersecurity incident information is relayed to management and the board of directors
- Reviewing documentation of past cybersecurity incidents and considering whether prior documentation would allow the entity to comply with the proposed rules
- Evaluating how the entity’s current disclosure controls and procedures might need to change under the proposed rules
While some of these steps might seem difficult to implement, organizations can take advantage of available resources to improve their cyber maturity and prepare for the SEC proposed rules. For example, organizations could consider involving third parties to assist with any potential changes to the entity’s cybersecurity policies or procedures. Bringing in outside expertise can help to identify gaps and introduce industry best practices. Third parties also can provide virtual information security offices by acting as or augmenting existing information security departments.
The areas in which the SEC is proposing additional transparent disclosures are all key components of a strong security posture. Using these new rules as guidelines, organizations can establish strong and effective cybersecurity programs or improve their current cybersecurity hygiene in advance of any final disclosure rules.