The SEC Cybersecurity Disclosure Ruling: Learn the New Requirements

SEC registrants are now required to disclose cybersecurity incidents and annually report information regarding their cybersecurity risk management, strategy, and governance.

These requirements are part of the SEC final rule adopted in July. The rule requires SEC registrants to file a Form 8-K for all material cybersecurity incidents within four business days, with some exceptions for national security or public safety reasons.

SEC registrants also are required to disclose on their annual Form 10-K information about how they identify and monitor material cybersecurity risks as well as how management and the board of directors govern these risks.

The annual disclosures must be included on annual reports for fiscal years ending on or after December 15, 2023. Any cybersecurity incidents must be reported on Form 8-K on the latter of December 18, 2023 or 90 days after publication in the Federal Register. Small reporting companies have a 180-day deferral on the 8-K filing requirements.

Reporting cybersecurity incidents on Form 8-K

What cybersecurity incidents have to be reported?

The SEC did not define materiality threshold as part of its final ruling. However, registrants should use both qualitative and quantitative factors in assessing if the incident would have a material impact on how a reasonable investor would consider the incident’s impact. A registrant can use existing materiality analysis from their normal internal processes or disclosure controls as a starting point.

As part of the ruling, the SEC said reportable cybersecurity incidents also include “a series of related unauthorized occurrences.”

Potential reportable incidents include:

• Ransomware attacks,
• Data extortion and threats to disclose or sell company data,
• Unauthorized access leading to the loss or modification of business information, intellectual property, and personally identifiable information which may result in a loss, liability, or compliance issue,
• Unauthorized interruption or loss of control of technology systems, and
• Incidents that may compromise the availability, confidentiality, or integrity of data hosted on the company system or network.

What should registrants disclose?

Registrants should disclose details around the nature, scope, and timing of the material cybersecurity incident. Registrants should also disclose the material impact and any reasonably likely material impact on the registrant’s financial condition and results of operations. Registrants do not need to disclose the technical details of their planned response to incidents or their cybersecurity system, networks, devices, and vulnerabilities.

How companies should prepare

• Registrants should identify a team consisting of members of information technology, internal audit, finance/audit, and other key areas of management to own the new Form 8-K cybersecurity disclosure process.
• This team should create or update existing processes for monitoring, identifying, escalating, and disclosing potential material cybersecurity incidents.
• This team should create a materiality analysis framework to quickly assess qualitative factors, quantitative factors, and overall materiality of potential cybersecurity assessments.
• This team should create templates with the key disclosure requirements noted above to be used by individuals responsible for filing 8-K disclosures.
• This team should determine and train individuals who will be responsible for filing the 8-K form within four business days of when a cybersecurity incident has been deemed material.

Cybersecurity and the annual 10-K disclosure

What should registrants disclose?

Registrants should disclose:

• Processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in enough detail for a reasonable investor to understand
• Whether cybersecurity risk management processes have been integrated within overall risk management program
• The use of assessor, consultants, auditors, or other third parties who assist with any processes related to cybersecurity risk management.
• Whether processes are in place to oversee and identify material cybersecurity threats caused using third parties

The disclosure should also include whether and how risks from cybersecurity threats including those from prior cybersecurity incidents have materially affected or are reasonably likely to materially affect the registrant’s business strategy, operations, or financial condition.

What should be disclosed about cybersecurity governance in the annual 10-K?

Registrants should disclose:

• The board of directors and management’s role in overseeing cybersecurity
• The board committee responsible for oversight over cybersecurity, as well as describe the processes for how the committee is informed about the risks.
• Information about management’s role in assessing and managing material cybersecurity incidents
• Which management positions or committees are responsible for assessing/managing material cybersecurity
• Information around the responsible management position or committee’s cybersecurity experience
• How management is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents
• How cybersecurity incidents are reported to the board of directors

How companies should prepare

• Determine who from IT and management will assess and track cybersecurity risks.
• Determine who on the board of directors will be responsible for overseeing governance of cybersecurity as well as who from management, internal audit, or IT will be responsible for informing the board of incidents.
• Conduct cybersecurity training for board and management members in overseeing cybersecurity.
• Assess the organization’s process for adapting these new 10-K disclosures. Evaluate the organization’s cybersecurity, incident response, disaster recovery, and business continuity policies and procedures to validate whether they align with the SEC’s cybersecurity disclosure requirements.
• Verify management has a process to identify, assess, and monitor material cybersecurity risks/threats. This should also include tracking past cyber incidents to determine if threats or risks from prior incidents have materially affected or could materially impact the registrant.
• Evaluate management’s 10-K disclosure process to verify the 10-K disclosures include the required information from the new SEC cybersecurity rule. The required items are:
  • Add disclosures around cybersecurity risk management processes and strategy to annual 10-K (this can be within the management discussion and analysis (MD&A) section).
  • Add disclosures around board of directors and management oversight and governance to annual 10-K (this also can be within MD&A section).

How we can help

While the new requirements don’t start until December, it’s recommended to start forming your cybersecurity response team and get prepared for the new SEC cybersecurity disclosure requirements as soon as possible.

Have questions or need help evaluating your organization’s current processes? Contact our business risk services team for personalized assistance.