Understanding the Implications of New SEC Rules on Cyber Incident Disclosure

In case you missed it, there’s been a lot of talk surrounding new SEC rules on cybersecurity incident disclosure.

In short, public companies in the United States report any cybersecurity incidents in a Form 8-K within four days once the incident is determined to be “material”. There are a small number of exceptions, such as extending that period of time for incidents that pose a substantial risk to national security or public safety.

Although there are already many regulations around data breach notifications, the scope of this rule, alongside the shift in who is responsible, makes it a notable change.

In this blog, we’ll explore how this differs from existing regulations, the types of cybersecurity incidents it could refer to, and how this shifts the responsibilities of cybersecurity to the board.

Comparison with Existing Regulations and Breach Notification Requirements

Prior to the implementation of the new SEC rules, there were already numerous state laws in place for disclosing data breaches. Digital Guardian has produced a really helpful list of data breach laws on a state-by-state basis. These laws primarily focused on notifying affected individuals when their Personally Identifiable Information (PII) was compromised.

However, the new SEC Rules on Cyber Incident Disclosure have broadened the definition of a "cyber incident" significantly. Now, it encompasses any event that jeopardizes the integrity of information systems, making it far more comprehensive than traditional data breach notifications.

Five Defined Types of “Cyber Security Incident”

According to the proposed rules from the SEC, a Cyber Security Incident is “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”

In the document, there are five types of incidents specified:

  • An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network); or violated the registrant’s security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data;

  • An unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems;

  • An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the registrant;

  • An incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data;

  • An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered

As you can see, these five types of incidents are about more than just breached PII. These are incidents that significantly impact a company's operations, such as unauthorized access to business information systems, theft of intellectual property, or actions of disgruntled employees.

Understanding What “Material” Means

What happens if an attacker gains access to a company GitHub account and steals access keys or source code, but not PII? These types of cyber incidents could now be in scope if they are deemed to be material.

The crux of the matter lies in determining what constitutes a "material" cybersecurity incident, which is considered by some as vague. According to the SEC, it is material “if there is a substantial likelihood that a reasonable shareholder would consider it important".

It’s fair to say that we’ll be hearing a lot more about this definition over the next 6 months.

Whatever happens with how companies calculate what is material, it will be increasingly important to have the right context. Security teams need to rapidly grasp the full context of an attacker's activities and understand the extent of unauthorized access with quick and precise responses.

Beyond Reporting Breaches

However, the implications of the new SEC rules go beyond the act of reporting breaches through the Form 8-K. The rules also introduce Regulation S-K Item 106, which requires a description of cybersecurity risk assessment and management processes, board oversight, and management expertise in handling such risks. The disclosure requirements will also extend to a registrant's annual report on Form 10-K.

This shift of responsibilities places a significant burden on the board of directors. They will be accountable for ensuring that the company has robust processes in place to assess, identify, and manage material cybersecurity risks. Furthermore, companies will need to disclose the material effects or reasonably likely material effects of risks arising from cybersecurity threats and previous cybersecurity incidents.

Summary

This is coming very soon. Disclosures on Form 10-Ks and Form 20-Fs will be required with annual reports for fiscal years ending on or after December 15, 2023.

While there may still be details to be worked out (including the legalese around material impact), the new SEC rules on cybersecurity incident disclosure are a game-changer for public companies operating in the United States.

The expanded scope of what constitutes a "cyber incident", the strict four-day reporting period, and the heightened focus on materiality are transforming the cybersecurity landscape and demanding more attention from boards of directors.