5 Key Things To Know On The SEC Cyber Disclosure Rules
The rules require public companies to disclose ‘material’ cybersecurity incidents as well as details about their management of cybersecurity risk — representing the most widespread regulation related to cybersecurity in the U.S. to date.
SEC’s New Cyber Regs
With its adoption of two new rules around cyber disclosure Wednesday, the Securities and Exchange Commission has enacted the most broad-sweeping regulations the U.S. has ever seen around cybersecurity. While certain industries are already subject to strict government cyber requirements, the SEC’s oversight of all publicly traded companies makes the new rules the “most widespread regulation” for cybersecurity yet in the U.S., said PricewaterhouseCoopers’ Joe Nocera.
The first new rule is focused on prompting more-frequent disclosure of major cyber incidents by public companies, such as significant data breaches or ransomware attacks. The rule requires publicly traded firms to disclose cyberattacks within four business days of determining an incident is “material” for its shareholders.
[Related: SEC Cyberattack Disclosure Rule: Much Improved But Still ‘A Heavy Lift’]
With the second new rule, the SEC is looking to arm shareholders with better information about companies’ management and strategy around cybersecurity risk. The rule requires this information to be disclosed annually, and it includes a new obligation to describe the role of its board in overseeing cybersecurity threats.
Notably, the regulations adopted Wednesday by the SEC are a major improvement over the version of the rules that was originally proposed more than a year ago, according to Nocera, a PwC partner focused on cybersecurity risk and regulations. “It’s not as problematic as it was originally,” he said. However, “it’s still going to be a significant burden” for public companies, Nocera said, noting that he’s already been working with clients around how to comply with the SEC requirements.
Ultimately, “you could expect it to have potentially the largest impact” of cyber-related regulations so far in the U.S., he said .
The rules will take effect 30 days after they are published in the Federal Register, the SEC said. When contacted by CRN Thursday, an SEC spokesperson said the agency doesn’t have an expected publication date for the rules in the Federal Register.
Allen Falcon, founder and CEO of Westborough, Mass.-based Cumulus Global, said he expects the new SEC rules to increase the pressure on IT service providers — and on service providers’ clients — that serve publicly traded companies. “IT service providers to publicly traded companies will be under additional pressure and expectations around cybersecurity and breach response,” Falcon said in an email to CRN. Meanwhile, “our clients with publicly traded companies will be under additional scrutiny and contractual obligations with respect to security as these rules take hold.”
With the Sarbanes–Oxley regulations, for instance, regulated companies began pushing policy and procedure requirements into their supply chains — which also impacted small and medium-sized businesses that were not covered by the law, he said. “I anticipate the SEC rules will similarly impact chains as the regulated entities work to make sure their responsibility is clearly and narrowly defined,” Falcon said.
What follows are five key things to know about the SEC’s cybersecurity disclosure rules.
What Prompted The Rules
As in its original proposal around cyber incident disclosure, the SEC held in its final version of the rule that “evidence suggests companies may be underreporting cybersecurity incidents.” And overall, “under-disclosure regarding cybersecurity persists despite the Commission’s prior guidance,” the SEC said in its final rule document.
Meanwhile, current practices among public companies in disclosure of cyber incidents are “varied,” the SEC said. “While some registrants do report material cybersecurity incidents … companies provide different levels of specificity regarding the cause, scope, impact, and materiality of cybersecurity incidents.”
Ultimately, shareholders in public companies “need more timely and consistent cybersecurity disclosure to make informed investment decisions,” the SEC said. “We believe it is necessary to adopt a requirement for uniform current reporting of material cybersecurity incidents.”
In a news release, SEC Chair Gary Gensler (pictured) suggested that from an investor’s perspective, the loss of millions of files in a cyberattack is no different than a factory burning down. In either case, “it may be material to investors,” Gensler said in the release. “Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
The SEC did not specify how it will go about enforcing the rules or what sort of penalties a company might be subject to, if it’s found to be in violation, Nocera said. Still, “there’s clearly an indication they intend to step up enforcement,” he said.
Improvements Over The Original Versions
In response to criticisms of the originally proposed rules, the SEC made a number of changes to the final versions that many companies will welcome, Nocera said. One major change for the incident disclosure rule is that the SEC removed a requirement that would have forced disclosure in the event that a series of individual incidents—which on their own were considered immaterial—had “become material in the aggregate.” For that element of the incident disclosure rule, “the wording was vague, and there was limited methodology around how you would do the aggregation,” Nocera said. “Removing that requirement was probably one of the areas where the industry as a whole breathed a sigh of relief.”
Another change to the rule is that the SEC is “narrowing the scope of disclosure” to focus on business and financial impact, rather than on technical detail. Some critics of the proposed rule had suggested the disclosure could empower hackers by including information that could be exploited in additional cyberattacks. The final rule, however, “gives less of a road map to attackers,” Nocera said.
The SEC also added a potential exception for the incident disclosure requirement, by which the U.S. attorney general can opt to delay the disclosure. The delay can be made if it’s determined that disclosing the incident would pose a “substantial risk” to public safety or national security, the SEC said.
As for the second rule — covering the annual disclosure of cybersecurity oversight within public companies — the SEC removed a controversial measure that would have required public companies to share details about the cybersecurity expertise of their board. While the final rule still requires a description of how the board oversees and governs cyber risk, it “explicitly removes the word ‘expertise,’” Nocera noted. “I do think that was a welcome change. Many boards were worried about, ‘Do we have to go out and put a cyber expert on our board?’ It seems clear that was a bit of an overstep.”
Determining A ‘Material’ Incident
As prescribed by the SEC incident disclosure rule, the clock doesn’t start ticking on the timeframe of four business days until a determination of materiality has been made. But while the agency is seeking to induce more-consistent incident disclosures by public companies, it will still be up to each company to decide what constitutes a “material” incident. “That’s going to be on companies to really develop, on their own, how they interpret that guidance,” Nocera said.
Determining that an incident is material is more straightforward in cases where there are clear, direct financial impacts — such as from an outage related to a cyber incident, he said. In such incidents, “it’s going to impact your revenue stream for a period of time, and you already have materiality thresholds from a financial perspective that you use for financial reporting,” Nocera said. “I think any cyber incident that would cross that financial reporting materiality threshold, you’d want to disclose it.”
On the other hand, some impacts of a cyberattack are not as easy to quantify financially, but can still have major consequences for a company’s business. “Where it gets to be more problematic is when you think about potential cyber incidents that impact your business strategy, your reputation in the market, loss of intellectual property — that’s much more difficult to quantify,” Nocera said.
At least initially, with each company being required to determine materiality on its own, the judgment around materiality is likely to vary from company to company — and it might not just mean that companies neglect to disclose major incidents. In all likelihood, “some companies may err on the side of over-reporting, until we get a better example of where the guardrails are,” Nocera said.
What Companies Need To Do
While the final versions of the SEC cyber disclosure rules are far better than the proposed versions, complying with the new SEC rules will still be a “heavy lift” for public companies, Nocera said. The incident disclosure rule will require public companies to report material cybersecurity incidents via a new item—Item 1.05—in a Form 8-K filing. The disclosure will need to include a description of the “material aspects of the incident’s nature, scope and timing, as well as its material impact or reasonably likely material impact on the registrant,” the SEC said in its news release.
Thus, to comply with the rule, companies will not only need to develop a methodology determining materiality, but also must be able to “very quickly get those communications out” in an 8-K filing, Nocera said.
He recommends three main areas for public companies to focus. No. 1 is to develop their incident response and disclosure process. “Most clients don’t have a documented materiality framework,” he said. “And so we’re working with clients to help them document a methodology for how they determine materiality, so that they have a defendable position for [determining] when that four-day clock starts.”
No. 2 is to focus on how they plan to describe the narrative in the 10-K about their cyber risk management program. “In some cases, it’s just documenting the current state” of their program, Nocera said. Other companies, however, would “like to tell a better story,” he said. “And so we’re helping them improve their cybersecurity program — so that when they tell the story of their current state, it’s actually accurate and consistent with what investors would care about.”
No. 3 is for boards to better understand their role in overseeing cyber risks, he said. That includes “making sure that they’re getting the right information, frequency and content to make good decisions.”
‘New Era Of Transparency’
The new SEC rules may be the most wide-reaching cybersecurity regulations adopted by a U.S. agency so far, but they are far from the only ones. Numerous other governments — both at the federal and state levels — are similarly pursuing regulations around cyber incident disclosure and other cybersecurity-related issues. Notably, the Cybersecurity and Infrastructure Security Agency (CISA) is working to craft rules that are expected to require critical infrastructure providers to disclose incidents within 72 hours (though the disclosed incident details would not be made public).
The array of disclosure regulations has prompted calls by some in private industry for a centralized, streamlined process for disclosing cyber incidents to the government. However, “I’m not overly optimistic that we’re going to get to a solution,” Nocera said. In addition to a variety of state government requirements, there are also international requirements such as GDPR in Europe, he noted. “If you’re a global company, you’re likely have many disclosure requirements around cybersecurity, and there are going to be varying levels of timeframes” for the disclosures, Nocera said.
“The reality of it is, for most global, complex organizations, they’re going to be dealing with multiple disclosure requirements,” he said. “They’re going to need to have a capability to rapidly assess what’s happening — to understand what part of their business is impacted, and therefore, who are all the different parties they need to disclose [an incident to].”
Ultimately, “we live in a new era of transparency,” Nocera said. “Whether it’s the SEC, or our customers, or our employees, they expect us to be transparent.”