Chapter 1 - Unpacking the new SEC Cybersecurity Disclosure Regulations
November 9, 2023 | Dr. James Norrie
Introducing our short series of three blog posts designed to help global security, compliance and risk professionals affected by new SEC disclosure rules to unpack practical steps you can take immediately to align to both the spirit and intent of these new regulations as we all venture into this new regulatory frontier together.
The content of this blog series expands on my earlier published white paper, “How New SEC Disclosure Regulations Move Beyond the Checkbox”. Our first post will highlight the three primary shifts in the cadence of the regulator and analyze those for operational insight you can act on.
While the new SEC cybersecurity disclosure rules strictly apply to US companies they directly regulate – it does also apply to Foreign Private Issuers to some degree in addition. This could include companies in Canada, the UK or Asia for example who are cross listed on the NYSE for example. It is also our view that if you are a supplier, vendor, or partner of a publicly traded company anywhere in North America, that you should also take the time to understand these new rules because they will matter to you too. As you will learn shortly, elements of these new compliance regimes imposed on public companies by the SEC will, in our opinion, eventually intrude shortly in the form of new vendor or supplier due diligence requests, if you provide services or products to publicly traded companies. Make sure you look for our third post in this series, where we explore the implications of an organization’s cybersecurity perimeter versus its tactical edge.
And if you are stumbling upon us and still do not believe this content applies to you, carefully consider the impact of another forthcoming change – NIST 2.0 and its elevation of governance to a domain of its own. We will be scheduling future webinars on this topic too, so make sure you follow our socials for the latest updates and news. But these forthcoming NIST changes are another fundamental shift by another regulator – the spirit of which dovetails in intriguing ways with what the SEC just did. And as NIST applies throughout the United States as an extension of the Department of Commerce and the Federal Trade Commission, even the smallest of companies in the US must be aware of these legal shifts and think about the implications for how to comply. No one is exempt. So, whoever you are and however you got here, welcome and let’s get right into Chapter #1 of the series: A Primer on Timely Disclosure.
Chapter #1: A Primer on Timely Disclosure (Form 8-K)
With enforcement of the new disclosure rules becoming effective December 15th, many companies are struggling with two critical issues: How to quickly determine if a material breach has occurred? And then how to publicly report it as an Item 1.05 Form 8-K within 4 days? While separate steps, these are connected and codependent. Our advice to clients is to rapidly prototype, map and then simulate these new compliance processes well in advance of needing them. These new guidelines – and forthcoming changes to NIST V2 as well – dictate an enterprise strategy of reclaiming cybersecurity compliance – previously viewed primarily as a technical endeavor – back into company-wide ERM and GRC processes where it must now reside according to the SEC. Cybersecurity is a continuing and persistent business risk that can never be eliminated. This means a need for it to be proactively governed by the board effectively, managed by the executive team with urgency, and measured continuously across all aspects, and at all levels, of the modern organization. The looming intersectionality of AI, data privacy and data loss prevention inside cybersecurity add further elements of complexity by forcing enterprises to take a holistic and inclusive view of this persistent, omnipresent business risk, and not just its technical roots.
Based on all that, here is a summary of 4 particular points to consider as inputs into the design of new SEC compliance processes to help you achieve initial compliance with these emergent regulations:
Point One, under the final rules, a reportable “cybersecurity incident” is very broadly defined and may include either a single unauthorized occurrence, or a series of related unauthorized occurrences that jeopardize the confidentiality, integrity or availability of the company’s information systems or any information residing therein. This seems an intentional stance by the SEC. So, this broadly encompassing definition may signal the need for companies to be equally broad in applying it internally. Your new compliance processes must address a consistent and accurate reporting of any event, which could ultimately need to be confirmed as material, or not, before being potentially reported publicly.
While in a change from the draft rules the SEC backed off a specific timeline for this determination, it did state that this determination should happen “without unreasonable delay” and companies should be cautious to ensure that this is not interpreted as slowing down disclosure but actually making every effort, without unduly rushing, to ultimately comply in a timely manner. The obvious conclusion given time is of the essence, is that it will always be better to invest proactively in mitigating instead of litigating a breach after the fact, and now more than ever, the focus of security risk governance must be to reduce the probability of an attack occurring to its lowest practical level across all threat vectors.
Point Two, is another important shift in the SEC’s regulatory perspective, expressly declining to limit the definition of “relevant information systems” to only those owned, operated or controlled by the company. This effectively extends your tactical edge well beyond your existing enterprise system perimeter to include any information or system resource USED by the company including all of those provided by third parties. Because the SEC acknowledges that many companies may have limited visibility or third-party risk assessment (TPRA) tools applied to service or vendor partners today, they did not yet require an immediate response on this particular point with providers beyond your normal existing business communication channels. But we presume that day will come at some point, as they clarified that existing liability transfer shields in most vendor contracts do not prevent an event being considered material and reportable regardless. In summary, if an event occurs through a third party but impacts your information confidentiality, integrity, or systems availability, it may be both material and reportable even if you are not liable for it legally. This implies a new area of focus for companies to establish novel methods to assess and control third party risk and to ensure that their security teams are moving to assess risk of the furthest endpoint of use instead of only control.
Point Three, assuming a company experiences a material breach, it must be reported within 4 days. You must recognize this as a very short and strict timeframe. While the final rules eased off the more specific requirements for technical reporting contained in the initial draft regulations, the final rules are still quite precise in requiring that the nature, scope, and timing of the incident all be addressed in any 8-K filing. While not requiring disclosure of specific technical information about how their cyber defenses were breached, the filing does have to include the general status of remediation, recovery, or repair efforts to date. If these are on-going, this may also trigger a need for additional updated filings as new information becomes available in future, potentially making a single event the source of multiple disclosures over time. Note this in your new process designs and include longitudinal tracking of any required disclosures including not just the original incident, but incorporating internal remediation efforts as those are completed if they trigger additional compliance reporting obligations.
And finally Point Four, the filing must not just disclose the incident itself, but the impact of the incident including both financial and operational impacts. In another significant departure from past practice, the filing is required to cite both quantitative results on revenues and costs (the more traditional view of materiality in broad use) and also qualitative impacts on reputation, brand, customer trust or vendor relationships, and competitiveness for example. These must be addressed through the materiality standard of a “reasonable investor”. Essentially, if the investor was provided with this information would it change their investment decisions around buying, holding, or selling your stock? Because that is the posture the SEC enforcement division will use to assess your filing compliance decisions in a departure from past practice, where financial materiality alone was the focus. This introduces a complex set of disclosure realms to be factored into how you generate SEC filings.
So, there it is: a quick primer on the SEC’s new timely disclosure rules. You may be asking – how can cyberconIQ help us with this? Our Human Defense Platform creates and sustains a Security First Culture® that is actuarially proven to reduce the potentiality of a cybersecurity breach and to eliminate bad security habits in your employees. Increased compliance means lower risk, the entire spirit of these new SEC regulations. Our platform – once fully implemented at scale across any organization – provides specific guidance on additional controls, tools and/or methods that are both cost- and risk-effective to measurably reduce total human factors risk. Our visible proof points can be included in your regulatory filings to provide tangible proof of compliance with best practices and to prove that cybersecurity risk is being properly governed across the enterprise.
Stay tuned for our next chapter – Annual Plans for Your Risk Management Strategy & Governance (Form 10-K).
Want more in-depth recommendations? Read our recent White Paper on this topic here.