This article was originally published on Radical Compliance.
As expected, the Securities and Exchange Commission adopted new rules on June 26, 2023, requiring publicly traded companies to make more disclosures about the cyber risks they have and the specific cyber attacks they suffer.
The final rules are largely in step with what the SEC first proposed last year: annual discussion of cyber risks in the company’s Form 10-K, and immediate disclosure of “material cybersecurity incidents” in Form 8-K filings within four days of the company deciding that the incident is indeed material.
The rules will go into effect for public reports filed after Dec. 15, 2023 – meaning, they’ll start appearing in annual reports that arrive in early 2024, and companies have only several months to retool their disclosure procedures to align with the new rules. Smaller reporting companies will have an extra six months to comply with the requirement for 8-K filings about cyber incidents, but they do not get any extra time for the annual disclosures in the 10-K.
The commission voted to adopt the rules on the usual 3-2 partisan split.
The most notable change from the original proposal is that the final rule now includes a process for companies to petition the Justice Department for delay of disclosure, if disclosing an attack might pose “a substantial risk” to public safety or national security. That petition process is still going to be a high bar; companies will need to get written permission from the attorney general, and then present that authorization to the SEC. The delay itself will only be good for 30 days, although the company could petition the Justice Department and SEC again for more 30-day extensions.
Another important point to stress here is that the rule does not impose any restriction on how much time a company can take to decide whether an attack is material. That is, if you suffer a ransomware attack on Monday, you don’t necessarily have to file the 8-K by Friday. If you need weeks to decide that the attack is material, that’s fine. Only when you do make that decision, “Yep, this is material” does the four-day clock start ticking.
Details on Disclosure
The final rule also requires a bit less disclosure of attacks than the original proposal. Companies will now need to discuss the impact of the attack rather than the details of the attack itself. Specifically, the adopting release says, companies will need to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”
The cybersecurity folks will probably breathe a bit easier at that shift in focus, since you’ll be at less risk (I would argue no risk) of divulging details about the attack that might inspire others to try similar attacks against you. Disclosure folks, on the other hand, might be left scratching their heads trying to figure out what you are supposed to disclose.
Clearly if the attack causes the company a material amount of financial harm, that should be disclosed. But the SEC also stressed that companies should consider qualitative factors too, such as harm to a company’s reputation, customer or vendor relationships, or competitiveness; or potential regulatory enforcement or civil litigation. So it’s entirely possible that you might have an attack that costs a relatively immaterial amount of money, but ruins your reputation and raises the specter of litigation from now until the cows come home. That’s qualitatively material, and you’ll need to disclose something.
The adopting release did expressly state that companies are not required to disclose the incident’s remediation status, whether it is ongoing, and whether data were compromised – but tread carefully there. Pre-existing SEC disclosure rules also forbid companies from watering down disclosure of material incidents to the point that the language becomes misleading.
Just the other week, for example, the head of enforcement at the SEC warned that his staff has “zero tolerance for gamesmanship.” He cited the case of Pearson Corp., where the company couched the harm from a breach in hypothetical terms – “may include date of birth and/or email address” – when executives already knew that roughly half the stolen records contained dates of birth or email addresses. That misleading disclosure led to a $1 million penalty.
Disclosing the Board’s Role
The final rule also requires companies to discuss in their annual report the roles that the board and management play in addressing cybersecurity risk.
One notable change here is that the final rule does not require companies to disclose the cyber expertise their board directors might have – which was supposed to be a subtle pressure tactic to recruit directors who do have cyber expertise, rather than look like a corporate dolt admitting “our board doesn’t have any.”
After considering public comments, however, the SEC changed its mind. “We are persuaded that effective cybersecurity processes are designed and administered largely at the management level,” the final rule says, “and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise, as they do with other sophisticated technical matters.”
Meanwhile, companies will still need to describe their process for identifying and addressing cybersecurity risk. That notion had originally raised some hackles, since the proposed rule called for disclosure of “policies and procedures.” Critics said that language was too prescriptive, and might give would-be attackers too much insight into how companies protect themselves.
Now the final rule says companies must discuss their “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.” That language supposedly is precise enough that companies won’t be able to get away with the usual boilerplate disclosure, but not so precise as to be a How-To manual for cyber thieves out there.
Much more to come in future posts about the full scope of this rule. For now, compliance officers have enough to waltz into your CISO’s office and say, “Hey, you free for a minute?”