What the SEC's new cybersecurity disclosure rules mean for companies
On July 26, the U.S. Securities and Exchange Commission (SEC) formally approved and adopted new cybersecurity disclosure rules for public companies. First proposed on March 9, 2022, and then closed and reopened several times for comment periods through May 2023, the highly anticipated new rules require registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance. Foreign private issuers are also required to make comparable disclosures.
Key facts of the new requirements are summarized below:
- New Form 8-K Item 1.05
- Will require registrants to disclose any cybersecurity incident they determine to be material.
- Registrants must determine the materiality of an incident without unreasonable delay following discovery and, if the incident is determined material, file an Item 1.05 Form 8-K generally within four business days of such determination.
- The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.
- Form 6-K will be amended to require foreign private issuers to furnish information on material cybersecurity incidents.
- New Regulation S-K Item 106
- Will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats.
- Item 106 will also require registrants to describe the board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing material risks from cybersecurity threats.
- Form 20-F will be amended to require that foreign private issuers make periodic disclosure comparable to that required in new Regulation S-K Item 106.
The timing of the final rules is as follows:
- The final rules will become effective 30 days following publication of the adopting release in the Federal Register.
- With respect to compliance with the incident disclosure requirements in Form 8-K Item 1.05 and in Form 6K, all registrants other than smaller reporting companies must begin complying on the later of 90 days after the date of publication in the Federal Register or December 18, 2023.
- Smaller reporting companies will have an additional 180 days and must begin complying with Form 8-K Item 1.05 on the later of 270 days from the effective date of the rules or June 15, 2024.
- With respect to Regulation S-K Item 106 and the comparable requirements in Form 20-F, all registrants must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023.
- With respect to compliance with the incident disclosure requirements in Form 8-K Item 1.05 and in Form 6K, all registrants other than smaller reporting companies must begin complying on the later of 90 days after the date of publication in the Federal Register or December 18, 2023.
A divided opinion
The new rules were passed by a 3-2 vote by the current SEC commissioners. On the same day of the vote, all five released statements regarding the new rules ("F" denotes voted in favor and "NF" denotes voted not in favor):
- Gary Gensler (Chair): Gensler - Statement (F)
- Caroline Crenshaw: Crenshaw - Statement (F)
- Jaime Lizárraga: Lizárraga - Statement (F)
- Mark Uyeda: Uyeda - Statement (NF)
- Hester Peirce: Peirce - Statement (NF)
The new disclosure requirements are intended to increase overall consistency and transparency into the ever-growing and evolving cyber threats and incidents that U.S. companies continue to face — and how they are strengthening their cybersecurity posture. Gensler, the SEC chair, states that the new rules "will help investors more effectively assess these risks and make informed investment decisions."
SEC commissioners Crenshaw and Lizárraga also echoed Gensler's sentiment, with Crenshaw stating that "today's rule serves as an important reminder of how our continuous reporting framework incorporates emerging risks — just as it was intended to do. The rule will, among other things, provide investors and market participants across the board with critical information relating to a company's risk management and strategy, as well as governance, in its periodic reporting."
Lizárraga further added that "today, there are zero disclosure requirements that explicitly refer to cybersecurity risks, governance or incident reporting. The final rule will change that and provide investors with more timely, standardized, and informative disclosures, which will reduce market mispricing and information asymmetries."
Commissioners Uyeda and Peirce provided opposition in their statements, while also calling out additional considerations that they indicate are unclear or overreaching of the SEC. Uyeda stated that "the Commission's disclosure rules should not elevate cybersecurity above these other risks and issues, some of which may be more material to investors." He goes on to say that "investors will have far less insight into how a company manages these other risks relative to cybersecurity, even if the company has not had any material cybersecurity incidents."
Peirce, in her statement, said that "this final cybersecurity disclosure rule continues to ignore both the limits to the SEC's disclosure authority and the best interests of investors. Moreover, the Commission has failed to explain why we need this rule." She goes on to cite the 2018 interpretive guidance as one of the reasons there should not be additional rules implemented. Additionally, The U.S. Chamber of Commerce released a statement expressing concern. Christopher Roberti, the chamber's senior vice president for cyber, space and national security policy, said "the Cyber Incident Reporting for Critical Infrastructure Act of 2022 made it clear that cyber incident reporting to government should occur confidentially and in a protected manner."
An opportunity for self-reflection
Despite the divided opinions, the new rules do not and should not impact the overall mission of organizations and their cyber groups and leaders regarding addressing and handling cybersecurity risks. Whether the new requirements are viewed as a great step forward or not, they will ultimately force and challenge organizations to self-reflect on the current state of their cybersecurity operations and most likely will elevate the cyber profession as whole. However, while they do provide additional guidance from a regulatory standpoint, the new rules also lead to additional questions and considerations. Some of the questions that commissioner Peirce poses are the following:
- Is there a concern that companies in the midst of a cyber-attack while attempting to contain, minimize and remedy any damage will be hindered by their ability to respond by having to alert the attacker about what they know about the attack?
- With "cybersecurity incident" being defined now to include anything that "jeopardizes" information systems, an incident could now occur whenever information is merely at risk even if not actually stolen. Will companies have difficulty tracking cybersecurity incidents, so broadly defined?
- Are the timelines set forth for same-year compliance too reasonable or aggressive?
One of the major challenges in identifying and expressing cyber risk is that it has no clearcut scope, nor does a rigorous definition of what constitutes cyber risk exist. The risk surface of the infrastructure of an organization is ever-growing, with increasing complexity. As a result, there are operational and judgmental challenges that companies will likely encounter:
- Defining what constitutes a "material" cybersecurity incident
- Determining the scope of required disclosures
- What needs to change with current policies, procedures and capabilities, if any, and what is the level of effort required?
- Does this mean increasing headcount and resource allocation?
- Obtaining accurate and timely information about cybersecurity incidents
- Compliance with all disclosure requirements
These are just some of the challenges that companies will face in complying with the new cybersecurity requirements. As the rules are implemented, it is likely that we will continue to see more questions and considerations arise.
Educating tomorrow's security professionals
In looking to the future, Julia Armstrong, managing director of the Institute for Cybersecurity and Digital Trust (ICDT) at Ohio State, said: "in light of the new SEC disclosure rules, training and education of our future protectors is as important as ever. We cannot piecemeal individual tactics and technologies, but must encourage education to take on a systems view, understanding how various job roles fit into the cybersecurity landscape. Our students must understand not only the processes of their employer, but also how to collaborate with the larger ecosystem of experts so to support the community of security professionals."
An increased focus on the training and development of students in cybersecurity here at The Ohio State University is designed to build out this community of security professionals. Ohio State has formal educational offerings in the following areas:
- Graduate Certificate in Cybersecurity: Offense & Defense
- Graduate Certificate in Cybersecurity: Design & Implementation
- Bachelor of Science in Business Administration | Specialization in Information Systems
- Bachelor of Science in Computer Science & Engineering | Specialization in Informational and Computation Assurance
- Bachelor of Arts in Information Security
- Minor in Information Security
- Cybersecurity Bootcamp offering
Additionally, informal opportunities and events are also offered: