SEC Cybersecurity Disclosure: Requirements and Implications

SEC sets in motion standardized reporting requirements for U.S. public companies and foreign private issuers.
Interlynk
September 3, 2023

Cybersecurity risk management, strategy, incidents, and governance can significantly impact a company’s value. A less than organized disclosure of them can leave investors frustrated, as previously experienced with security incidents at Equifax, Target, Yahoo!, and SolarWinds.

The U.S. Securities and Exchange Commission (SEC) has finally formalized and set in motion standardized reporting requirements for U.S. public companies and comparable reporting requirements for foreign private issuers (non-U.S. companies doing business in the U.S.).

The requirements aim to make disclosures in a “consistent, comparable, and decision-useful way.”

Let’s dig in!

Who is affected?

All subjects of the reporting requirements from the Securities Exchange Act of 1934 are affected by this change. This includes all public companies, foreign private issuers, smaller reporting companies, and business development companies.

What are the Reporting Requirements

The four essential reporting requirements are:

Cybersecurity Incident Disclosure

This change requires reporting any “material” cybersecurity incident to the SEC. This should be reported on Form 8-K within four business days of the “determination of materiality.” The filing must include:

  • Nature, scope, and timing of the incident
  • “reasonably likely” estimate of the material impact, including consideration of qualitative and quantitative factors

If some information is unavailable when filing, the 8-K can disclose the non-availability and later be amended when the information is available.

The rules do not require disclosure of technical details, remediation status, or state of data compromise.

Cybersecurity Risk Management and Strategy

This change requires reporting any (or the need for) assessment, identification, and management processes for handling material cybersecurity threats. This must be disclosed on Form 10-K (or Form 20-F) annually, and filing must include the following:

  • If cybersecurity is part of the overall organizational risk management system
  • If the processes include the use of assessors, consultants, auditors, or third parties for such processes
  • If any third-party risk assessment includes cybersecurity risk assessment
  • If cybersecurity threats have materially affected or are reasonably likely to affect business strategy, operations, or financial conditions

Board and Management Governance

This change requires reporting governance structure as it relates to cybersecurity risks on Form 10-K (or Form 20-F) annually, and filing must include the following:

  • Details of board oversight on cybersecurity risks, specifically the board committee or sub-committee responsible for the oversight and the process by which the board is informed of the risks.
  • Management’s role, expertise, and set processes in assessing and managing cybersecurity threats, including details of members' and committees' relevant experiences, monitoring, detection, mitigation, and remediation of incidents, and the process of notifying the board of directors of such risks.

When do the requirements become effective?

  • The material incident disclosure requirements become effective starting December 18, 2023, with smaller reporting companies getting a 180-day deferral (June 15, 2024).
  • The Annual Risk management, strategy, and governance disclosures are effective after December 15, 2023.

Any exceptions?

The only exception is if the United States Attorney General (the “AG”) determines that immediate disclosure would pose a “substantial risk to national security or public safety” and notifies the SEC of such determination in writing. Initially, disclosure may be delayed for up to 30 days, as specified by the AG, and can be extended for another 30 days with another AG’s assessment.

Implications

SEC has sent clear signals for what it expects as best practices in a compliance organization. Specifically:

  • Cybersecurity Governance and Oversight Companies should set up governance and oversight that improves the baseline, including adding board and management team members with cybersecurity expertise, setting up committees for oversight and incident management, and formalizing the processes for cybersecurity management and reporting to the board.
  • Disclosure Controls and Processes The reporting requirements suggest setting up a ‘materiality’ threshold through the cybersecurity incident management and monitoring teams with automation for evaluation of material impact, formalized processes for involving legal, IT, and external support, and formalized processes for notifying and involving board as needed.
  • Incident Response Plan Update This is the most apparent impact of the regulation. All security plans must be updated to involve legal, any cybersecurity sub-committee, and getting support from third-party experts. In light of new disclosure requirements, organizations must review their plans for compliance and change in available time (four days).

Interlynk is trying to make security disclosure easy, obvious, and automated. We are happy to answer any questions you might have. Feel free to reach out to us at hello@interlynk.io or via interlynk.io