SEC Cybersecurity Disclosure Rules: Key Takeaways for Organizations

The Securities and Exchange Commission (SEC) oversees and regulates U.S. securities markets to promote fairness, prevent fraud, and protect investors. It also collaborates with numerous partners to design strategies aimed at protecting markets from the damaging effects of cyber incidents. One such strategy is its disclosure regime, which has evolved over the years.

In the past, per the SEC’s mandate, U.S. public companies would make cybersecurity incident disclosures in an inconsistent form that made it difficult for investors to gauge incident impact and make appropriate investment decisions. In July 2023, the SEC adopted new disclosure rules that require U.S. domestic registrants and foreign private issuers (FPIs) to disclose cyber incidents in a “consistent, comparable, and decision-useful way”.¹

By mandating and standardizing cyberincident disclosures – as well as the disclosures of companies’ cybersecurity policies and procedures – the SEC aims to improve transparency about cybersecurity risks in securities markets, thus ensuring the protection of investors and market participants.

That said, many companies lack clarity into these rules, which creates compliance challenges and exposes them to numerous undesirable consequences of non-compliance, including SEC fines, legal action, financial losses, and loss of customer trust. This article clarifies these rules to help companies simplify their path to compliance and encourage them to think about strategies to strengthen their cybersecurity programs.

What are the SEC’s Cybersecurity Disclosure Rules?

In July 2023, the SEC adopted new disclosure rules for U.S. public companies (“domestic registrants”) and foreign private issuers (FPIs) that specify their disclosure obligations if they experience a cybersecurity incident. Compliance with these rules can help organizations to strengthen their cybersecurity controls and avoid many of the undesirable consequences of cybersecurity incidents.

That said, to ensure compliance and minimize the risks and costs of non-compliance, firms will need to:

1. Understand the rules
2. Self-assess their existing cybersecurity threat/incident disclosure controls
3. Self-assess their cybersecurity risk management and governance practices
4. Implement changes as required

This article aims to help companies meet goal (1). A cyber security provider like BreachLock can also help them to meet goals (2), (3), and (4).

SEC’s 2023 Cybersecurity Rules: Disclosure Requirements

The SEC’s cybersecurity disclosure rules have two important components:

i. Disclosure of material cybersecurity incidents²

Part 1 requires domestic registrants to disclose any material cybersecurity incident that they experience to the SEC. These disclosures must be made in Item 1.05 of the SEC’s Form 8-K and include details about the incident’s:

• Nature
• Scope
• Timing
• Material impact or reasonably likely material impact

The impacted organization is not required to disclose specific or technical information about their planned incident response or about potential system vulnerabilities, especially if providing these details might impede incident response or remediation.

Registrants must make these disclosures (in Form 8-K) within 4 business days of determining that the incident is material. Here, it’s important to note that this deadline is not tied to incident discovery but to the registrant’s determination that the incident is material.

The only time the 4-day deadline does not apply is if the U.S. Attorney General determines that immediate disclosure could risk national security or public safety and informs the SEC about this risk in writing. In this case, the affected company must work with the U.S Department of Justice to manage the incident and mitigate its (national security/public safety) risk.

FPIs must also disclose cybersecurity incidents. Unlike domestic companies, they must make these disclosures on Form 6-K. Also, the disclosures must happen “promptly” after they disclose or publicize an incident in or to any one of these places:

• A foreign jurisdiction
• A stock exchange
• Security holders

ii. Annual disclosures of cybersecurity risk management, strategy, and governance

The SEC also requires domestic registrants and FPIs to make annual disclosures about their cybersecurity risk management, strategy, and governance practices. Like cybersecurity disclosures, annual disclosures must also be made in a consistent and comparable way. To support this objective, the SEC has created two standardized disclosure forms:

• For domestic public companies: Regulation S-K Item 106 in annual reports on Form 10-K
• For FPIs: Form 20-F Item 16K

The rules regarding annual disclosures include two important requirements that apply to both domestic companies and FPIs.

One, they must describe their cybersecurity risk management processes. These include all processes for assessing, identifying, and managing risks from i) cybersecurity threats and ii) previous cybersecurity incidents that have materially affected or may materially affect them in future.

Two, companies must describe how their board of directors oversee material cybersecurity risks and how the management assesses and manages these risks.

What is a “Material” Cybersecurity Incident?

In the context of the SEC’s new disclosure rules, “material impact” of a cybersecurity incident includes any impact on the registrant’s (or FPI’s) financial condition or the results of operations. The impact is also considered material if knowing about it (“information”) could affect a shareholder’s ability or willingness to make an investment decision. For this reason, the SEC recommends that companies assess the materiality of cybersecurity incidents from the lens of a reasonable investor.

Some possible cybersecurity incidents that could be considered as having a material impact and should therefore be disclosed to the SEC include:

• A virus attack that results in a financial loss
• A data breach that results in the loss of customer data
• A ransomware attack that leads to operational disruptions or downtime

SEC Cybersecurity Rules Compliance Dates

Domestic registrants (Form 6-K) and FPIs (Form 8-K) should have started disclosing cybersecurity incidents by December 18, 2023 or 90 days after publication in the Federal Register, whichever is later. Smaller reporting companies (SRCs) get an additional 180 days to disclose such incidents. This means they must start complying by June 15, 2024. Additionally, all companies including SRCs must tag their incident disclosures in Inline XBRL by December 18, 2024.

All registrants must provide annual cybersecurity disclosures (Form 10-K for domestic registrants and Form 20-F for FPIs) beginning with their annual reports for fiscal years ending on or after December 15, 2023. They must also tag these disclosures in Inline XBRL format for fiscal years ending on or after December 15, 2024.

Consequences of Non-compliance

Companies that fail to comply with the SEC’s cybersecurity disclosure rules may receive a permanent injunction to cease doing a specific type of activity. The SEC could also impose monetary fines ranging from $5,000 to $100,000 per violation. The actual amount would depend on whether fraud was involved and whether investors were harmed following a cybersecurity incident.

In addition to fines, not disclosing an incident could impact organizations in many other ways. It could cause reputational damage, or result in financial losses, stock price dips, or loss of customer trust. Further, the SEC could initiate enforcement action that increases a company’s litigation costs and affect its profitability and financial stability.

Conclusion

The SEC’s new cybersecurity disclosure rules can help companies to proactively address cybersecurity risks and mitigate the impact of cybersecurity incidents, so complying with them is an advisable course of action. Organizations can also achieve these objectives through penetration testing.

BreachLock’s pentesting solution empowers organizations to identify and fix security vulnerabilities across their entire attack surface – before they can be exploited. Human-delivered and AI-powered, the solution ensures fast vulnerability identification and prioritization. Equally important, it enables companies to meet their SEC compliance requirements and thus avoid the (many) costs of non-compliance.

Discover how you can achieve your cybersecurity and SEC compliance goals with BreachLock’s pentesting services. Schedule a free discovery call today.

About BreachLock

BreachLock is a global leader offering human-delivered, AI-powered, and automated solutions for Attack Surface Management , Penetration Testing as a Service and Continuous Penetration Testing and Red Teaming as a Service . Collectively, these solutions go beyond providing an attacker’s view of common vulnerabilities and exposures to provide enterprises with evidence-based risk across their entire attack surface to determine how they will respond to an attack.

Know your risk. Contact BreachLock today!

References

1. SEC Press Release, July 2023

2. U.S. SEC: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure