SEC cyber rules mean new steps for CFOs

New cybersecurity disclosure rules from the Securities and Exchange Commission became effective in September 2023 for publicly traded entities. In addition to requiring prompt disclosure of any material cybersecurity breaches, the rules also impose significant new requirements that will immediately affect most companies' 2023 annual reports. CFOs and other leaders with cybersecurity responsibilities should already be taking steps to comply with these expanded disclosure requirements.

The new disclosure requirements are also a consideration for private companies that are anticipating going public. At a higher level, the new requirements can provide all types of companies with useful insights on sound cybersecurity processes and transparency.

Overview of the new rules

In today's digital economy, cybercrime has become an increasingly consequential risk for businesses of all types and sizes. Even companies that are not directly engaged in technology-related pursuits still rely heavily on technology for financial reporting, accounting, sales and operational management activities, to name only a few. Security breaches can have a significant and immediate impact on business operations and reputation, in addition to exposing companies to sizable costs and potential legal liability if a breach results in the unauthorized release of sensitive data about customers, employees, or suppliers.

The new cybersecurity rules are designed to provide investors with greater insights into how SEC registrants are addressing these risks. They do this by imposing enhanced and standardized disclosure requirements in two critical areas:

• Prompt disclosure of any material cybersecurity incident the company experiences;
• Annual disclosure of detailed information about the entity's cybersecurity risk management, strategy and governance efforts;

The disclosures are required of all public companies that are subject to SEC reporting under the Securities Exchange Act of 1934, including smaller reporting companies (SRCs). The SEC rules also require comparable disclosures from foreign private issuers.

Cybersecurity incident disclosure rules

One component of the new rules is the requirement for prompt disclosure of material cybersecurity breaches or incidents in a company's Form 8-K. CFOs should address this requirement by taking a closer look at some of the specifics and then considering potential compliance challenges their companies might face.

Form 8-K: What the new rules require

Under the new rules, any company subject to SEC reporting requirements must issue a public disclosure of any material cybersecurity event. The disclosure must be filed on Form 8-K within four business days of determining that the incident is material.

The disclosure requirement can apply to either a single material event or a series of related smaller events that are determined to materially affect the company. It's important to note that the four-day deadline for filing is tied not to the discovery of a cybersecurity event but rather to the company's determination that an incident or series of incidents is material. The rules also instruct companies to make this materiality determination "without unreasonable delay."

In terms of content, the disclosure must spell out the material aspects of the nature, scope and timing of the incident. The company also must disclose the material impact, or the "reasonably likely" material impact, the event will have on the company, including its financial condition and results of operations.

On the other hand, the company is not required to disclose specific or technical information about its planned response to the incident or about its cybersecurity systems, networks, devices or potential system vulnerabilities in a way that would impede its response or remediation.

Smaller reporting companies, or SRCs, have a little more time to comply. The reporting requirement is already in effect for non-SRCs; it will go into effect for SRCs on June 15, 2024. The rules allow for a limited delay if the U.S. attorney general determines the disclosure would pose a substantial national security or public safety risk, but invoking such a delay would require close collaboration with the Department of Justice.

Form 8-K compliance challenges

Determining when a cybersecurity incident is material is a critical consideration for companies. The new rules do not provide a new definition of materiality that exists today under SEC rules; specifically, as the Supreme Court has held, information is material if there is "a substantial likelihood that the . . . fact would have been viewed by the reasonable investor as having significantly altered the 'total mix' of information made available."

The new rules also echo previous SEC statements that companies should not rely solely on numeric measures or benchmarks (such as the cost of a breach as a percent of revenue) to determine if an event is material. The new rules specifically state that the "inclusion of 'financial condition and results of operations'" as part of the discussion of materiality "is not exclusive."

They go on to say that "companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident. By way of illustration, harm to a company's reputation, customer or vendor relationships, or competitiveness may be examples of a material impact on the company."

In view of these statements, CFOs should review their organizations' current processes and policies for determining materiality and consider if those processes need to be updated to address the effects of the new cybersecurity incident disclosure rules. Collaboration between CFOs and information security teams will be needed to establish processes for evaluating incidents, including processes for assessing whether a series of related events have materially affected the company.

For their part, information security departments should revisit their incident response programs to verify the design and effectiveness of the processes. Ideally, those responsible should consider conducting tabletop exercises or other tests so that they can evaluate the adequacy of these processes at a time when they are not under the added pressure of an actual breach.

In addition to supporting compliance with the new disclosure requirements, a strong program along with layered security controls can help de-escalate an event and thus reduce the total impact before it becomes big enough to be financially material. Because incidents that are not deemed material are not required to be publicly disclosed, CFOs should take an active role in encouraging such a review and should verify that the incident response processes — including containment, eradication and recovery — are seamlessly integrated with the company's Form 8-K timely reporting requirements.

Annual cybersecurity risk management disclosure rules

In addition to prompt disclosure of material cybersecurity breaches, the new rules also require registrants to disclose certain new information about their cybersecurity-related risk management, strategy, and governance efforts in their annual 10-K reports. Here again, CFOs should understand both the new requirements and the potential compliance challenges.

Form 10-K: What the new rules require

Under the new rules, SEC Regulation S-K now requires SEC registrants to include specific cybersecurity disclosures on their annual Form 10-K. This disclosure must describe the board of directors' oversight of cyber risk, which includes identifying any board committee or subcommittee that is responsible for this oversight. The disclosure also must describe management's role and expertise in assessing and managing cyber risks.

In addition to identifying the groups and individuals involved in managing and overseeing cyber risk management, SEC registrants' Form 10-K also must describe their processes for identifying, assessing and managing material risks from cybersecurity threats, including a description of how cybersecurity processes are integrated into the company's overall risk management.

Registrants also must disclose the engagement of any third parties, including consultants and auditors, along with the processes the registrants have in place to oversee cybersecurity risks associated with the use of third-party service providers. Finally, registrants must disclose whether and how any cybersecurity-related threats or incidents have materially affected their business strategy, operations or financial condition.

The new annual disclosure requirements are now in effect for all registrants including both SRCs and non-SRCs, and compliance is required for all 10-K reports for fiscal years ending on or after Dec. 15, 2023.

Form 10-K compliance challenges

The new rules do not require specific language to be used in the reporting organization's disclosure; CFOs and boards instead will need to draft language that is specifically applicable to each entity's particular business circumstances and cybersecurity risk profile. The new disclosure language should be consistent with the underlying content requirements of the 10-K. That is, in addition to spelling out risks and processes, it also should describe the entity's action plan for meeting any unmet requirements.

In addition to seeing that the new disclosure accurately describes the company's existing programs and initiatives, the CFO must ensure the programs and initiatives that are being described are adequate. If existing management, strategies and governance are not sufficient to address the requirements, the company must act quickly to develop and execute adjustments to strengthen its cybersecurity program and, therefore, the information shared in the annual disclosure response.

Although compliance with the new rules is critical, strong cybersecurity practices, such as those the new rules support, also provide companies with other benefits. One such benefit is the potential competitive advantage such practices can produce, as a growing number of customers and critical suppliers now direct their business relationships to those entities that recognize the growing importance of cybersecurity issues and are working proactively to stay ahead of the issue.

In this sense, the new 10-K disclosure requirements can be regarded as more than just added compliance tasks — they also present an opportunity for the company to tell investors and other stakeholders a strong story that highlights its strengths and potential competitive advantages.

Opportunities for improvement

These disclosure requirements are already in effect, so preparations should be underway or completed. For the many companies with a fiscal year that just ended on Dec. 31, annual 10-K report compliance is an obvious priority, but compliance with the Form 8-K incident disclosure rules is equally important. Any company that has not yet updated its incident response processes to address the new materiality determination requirements should act immediately to do so. A breach or other cybersecurity incident can occur without warning.

The new disclosure requirements should not be viewed in isolation as a compliance exercise alone; they can be a catalyst to improve cybersecurity program maturity. Because of the serious impact that cybersecurity attacks can have on any organization, the quick identification, assessment and mitigation of such attacks are crucial. By helping to uncover potential cybersecurity inadequacies that might otherwise go unrecognized until a cybersecurity event occurs, the new SEC requirements provide an opportunity for all concerned to improve the overall effectiveness of their risk management efforts.