SEC Cyberattack Disclosure Rule: Much Improved But Still ‘A Heavy Lift’
The SEC’s incident disclosure requirement makes welcome changes from the originally proposed version but will still create significant new obligations for public companies, a PwC partner tells CRN.
The cyber incident disclosure regulations adopted Wednesday by the U.S. Securities and Exchange Commission are a major improvement over the version of the rule that was originally proposed more than a year ago, a PricewaterhouseCoopers partner told CRN.
But there’s no getting around the fact that complying with the new rule is “going to be a heavy lift for organizations,” said Joe Nocera, a PwC partner focused on cybersecurity risk and regulations. The rule requires publicly traded companies to disclose major cyberattacks within four business days of determining an incident is “material” for its shareholders.
[Related: SolarWinds ‘Confident’ It ‘Acted Appropriately’ After 2020 Hack: CEO]
“They’re going to have to really have a methodology for how they determine materiality and then be able to very quickly get those communications out as part of the 8-K [filing],” Nocera told CRN. “I do think that’s a lift.”
Crucially, however, the clock on the four-day time frame doesn’t start ticking until the determination of materiality has been made. “It might be 10 to 14 days into an investigation before you come to the conclusion that a material impact has occurred,” Nocera said.
The rule was adopted in a 3-2 vote, with two Republican SEC commissioners dissenting. Cyber incident disclosure rules were first proposed by the SEC in March 2022.
In a news release, SEC Chair Gary Gensler said the rule would help to ensure that when an incident is “material to investors” that it is publicly disclosed in a “more consistent, comparable and decision-useful way.”
Numerous industry groups executives had criticized elements of the original rule proposal by the SEC. However, the final rule—which takes effect 30 days after it is published in the Federal Register—improves some of the most contentious points in the original proposal, Nocera said.
For instance, the SEC removed a requirement that would have forced public companies to disclose when a series of individual incidents—which on their own were considered immaterial—had “become material in the aggregate.”
“The wording was vague, and there was limited methodology around how you would do the aggregation,” Nocera said. “That was probably one of the areas where most of our clients were scratching their head. So it was good to see that the final rule actually struck that language.”
There is still a requirement to disclose “related” incidents, which the SEC defines as multiple incidents over a short period of time from the same threat actor, he noted. The rule also requires disclosure of multiple incidents targeting the same vulnerability, even if it’s by different threat actors, Nocera said.
As a result, companies do still “have to think about, is this a related incident to something we’re already dealing with?” he said.
Less Technical Detail Required
Another key improvement in the final version of the rule is that the SEC clarified that companies aren’t expected to share a high level of technical detail in their disclosures. Some critics of the proposed version of the rule had suggested the disclosure could empower hackers by including information that could be exploited in additional cyberattacks.
With the final rule, however, “you’re focused on the impact of the incident to your business, which gives less of a road map to attackers,” Nocera said.
In addition, the SEC included a potential exception for the disclosure requirement, indicating that the disclosure “may be delayed” if the U.S. attorney general decides that disclosing an incident in that time frame would “pose a substantial risk to national security or public safety.”
The measure ensures that “if we have a nation-state actor or a criminal group that’s targeting a wide number of organizations—and the U.S. attorney general determines that it’s in the best interest of the broader community not to disclose—[they] can extend the reporting period for a period of time,” Nocera said. “I think that’s a very significant update to the rule.”
The rule will require public companies to disclose “any cybersecurity incident they determine to be material” via a new item—Item 1.05—in a Form 8-K filing. The disclosure must include a description of the “material aspects of the incident’s nature, scope and timing, as well as its material impact or reasonably likely material impact on the registrant,” the SEC said in its news release.
The SEC also adopted a rule Wednesday that will require publicly traded companies to annually disclose “material information regarding their cybersecurity risk management, strategy and governance.”
Companies will also be required to include a description of their board’s “oversight of risks from cybersecurity threats” as well as “management’s role and expertise in assessing and managing material risks from cybersecurity threats. Those disclosures will be required in a public company’s annual Form 10-K filing.