On July 26, 2023, the US Securities and Exchange Commission (SEC) adopted rules regarding Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure by Public Companies.
These new rules include critical new factors that leaders of public companies must be aware of, namely the new requirement for registrants to disclose all material cybersecurity incidents on the new Item 1.05 of Form 8-K.
Unfortunately, this new requirement has been met with uncertainty and confusion due to seemingly unachievable deadlines and ambiguity around important qualifiers.
This is because the Form 8-K requires that companies submit details regarding the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.
Further, these details will be required to be submitted within just four days of determining the incident to be material.
However, the reporting process is not as complicated as most companies fear, and knowing the basic, important facts and expectations around the new rule can significantly ease anxieties while ensuring compliance.
Below is a breakdown of the new rule’s most critical updates and what public companies need to know about how to properly report a cyber incident:
Understanding Material Cybersecurity Incidents
Can the cybersecurity breach you just experienced have a significant impact on the company's financial position, operation, or relationship with its customers? If so, you have a material incident on your hands.
Another way of determining whether an event qualifies is to consider whether you would feel an obligation to disclose it to your shareholders. If the answer is yes that incident should be considered material and reported to the SEC within four days of discovery.
In most cases, cybersecurity events or breaches that come to fruition and cause consequences are material incidences. If risks are proactively identified and mitigated before a security breach ensues, that does not constitute reporting to the SEC.
Preparing Response Plans
Another major aspect of the new rule is the requirement for companies to disclose their processes for identifying and mitigating cyber threats and vulnerabilities. For companies that do not have a formal plan or task force in place, it is absolutely critical that they prioritize creating one to not only comply, but protect their sensitive data and information.
To start, leaders should consider hiring a designated cybersecurity expert or building a team of existing professionals within the organization to manage important proactive initiatives like monitoring, employee training, encryption and more. These experts can also take the lead on creating, adapting, and following through on cybersecurity response plans.
This can include everything from consistently updating plans with new requirements and definitions to detailing step by step recovery plans to mitigate consequences from the incident, including how to properly report it to the SEC.
Planning for Prompt Reporting
One of the biggest complaints that leaders have had regarding these new rules is the four day reporting requirement. Many leaders feel that, given the different departments, personnel, and vendors that would need to provide input, four days is not enough time to gather the necessary information for the SEC to review.
This is why having a cybersecurity expert or team dedicated to managing these incidents is essential. Based on their familiarity with the company and its systems, these employees will be able to promptly make determinations regarding whether an incident can be deemed “material” and, from there, spend the next 96 hours executing a thorough response protocol to gather all the information and data related to the incident, analyze it, and begin the formal reporting process.
For business leaders that are still frustrated and confused about the new reporting requirements, it’s important to reach out to a consultant for guidance right away. This is because the Form 8-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or Dec. 18, 2023. Smaller Reporting Companies will have an additional 180 days before they must begin providing the Form 8-K disclosures, but that still does not leave a lot of time for acclimation before compliance is required.
Christopher Salone, MBA, is a Senior Consultant and Financial Services Practice Leader of FoxPointe Solutions, the Information Risk Management Division of The Bonadio Group. His work focuses on internal and external auditing of information technology and information security practices and controls, providing services to clients across multiple industries, including public and private companies, financial institutions, healthcare organizations, tech companies, and school districts. He conducts audits in accordance with regulatory compliance standards.
Like what you're reading?
Subscribe to our FREE newsletter and we'll deliver content like this directly to your inbox.