SEC Proposes New Cybersecurity Incident Disclosure Rules

Simar Kohli
March 22, 2022

Cybersecurity is already a growing priority for companies looking to build customer trust, but the U.S. Securities and Exchange Commission's (SEC) proposed cybersecurity incident disclosure rules make protecting one’s organization more important than ever.

SEC Logo

The SEC’s new rules would treat cybersecurity incidents like financial news

One of the SEC’s most important functions is mandating that publicly traded companies disclose relevant financial information in order to ensure a level playing field for investors. Companies must file quarterly reports known as a Form 10-Q with the SEC containing net revenue, expenses, earnings per share, and several other types of financial information.

Publically traded firms must also inform investors about things that could affect share prices such as planned mergers/acquisitions with the Form 8-K. Form 8-K is the “current report” for shareholders to learn about major events impacting a company.

The SEC is considering classifying cybersecurity incidents and data breaches as material events that could impact a company's stock price by adding a section on cybersecurity to Form 8-K. Line item 1.05 would require a company to file a disclosure report within four business days if it has determined a material cybersecurity event. Here’s more detailed information about the specifics of the SEC’s proposed changes.

Breaking down the SEC’s new cybersecurity proposals

The SEC’s proposal has several layers of rule changes that companies must abide by. Here are some of the most relevant changes that would impact the majority of companies going forward.

What “disclosure after determination of material incidents” means

If the SEC’s rules were to pass, companies would be required to file reports after determination a material incident has occurred. “Determination” is important since it allows organizations to conduct investigations into breaches prior to reporting them. It does not require organizations to report upon discovery of the breach. Even though companies do not need to report the discovery of a potential breach, they are required to come to a determination as fast as reasonably practical after discovery.

Whether an incident is “material” is determined using preexisting SEC case law. An incident is considered material if there is a significant likelihood that a reasonable shareholder would evaluate it when deciding whether to purchase or sell a stock. It is also considered material if it significantly alters what is considered the mix of publicly available information.

What goes into a disclosure report

Here are the components of the report that a company must write when disclosing material cybersecurity incidents.

  1. Date of the incident being discovered and whether the incident is ongoing.
  2. A description of the incident and the scope of systems/data it impacts.
  3. Whether data was accessed, modified, stolen, or disclosed for unauthorized purposes.
  4. How the incident impacts the companies operations.
  5. Whether the incident has been solved or if it is being remediated.

What cybersecurity definitions the SEC uses 

The SEC has included several definitions for terms within the new proposed changes.

  • Cybersecurity Incident: an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
  • Cybersecurity Threat: any potential occurrence that may result in, an unauthorized effort to adversely affect the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.
  • Information Systems: information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.

New risk management and strategy reporting requirements

The SEC’s new rules would require companies to report their risk management policies and procedures. The changes would add Items 106(b) and 106(c) to Form 10-K, the annual reporting form. Here are some of the major risk management reporting requirements contained in those line items. 

  • Whether an organization has a cybersecurity program and a description of the program.
  • Whether a company has consultants, auditors, or other third parties involved in the cybersecurity program and any policies/procedures for third parties.
  • A description of the activities a company takes to prevent cybersecurity incidents.
  • Business continuity and recovery plans in the case of an incident.
  • How previous cyber-risks have impacted strategy, business models, and operations.
  • How cybersecurity is part of a company's financial planning

Companies can choose to disclose additional information to promote transparency and win customer/partner trust.

New governance requirements

The SEC has also introduced new governance requirements in their proposed changes. The new changes would require companies to describe how their board of directors oversees cybersecurity. This includes which board members are responsible for security, how the board is informed about cybersecurity, how often the board discusses cybersecurity, and how the board factors cybersecurity into business decisions and risk management plans.

It also includes reporting the qualifications of members of the board of directors that oversee security. This would illustrate whether the director has prior cybersecurity experience, any degrees/certifications they have, and if they have knowledge of relevant cybersecurity issues.

The proposed changes mandate that companies explain how management is involved in cybersecurity. This includes who is in charge of managing cyber-risk and their qualifications, if a company has a CISO or CISO equivalent, the company's processes for detecting and remediating cyber incidents, and how often management reports to the board of directors.

Recommendations and next steps following these proposals

The first step any organization should take in light of these proposed changes is updating its reporting mechanisms to make disclosing relevant cybersecurity information easier. This may mean modifying current reporting forms to include the new line items about cybersecurity. It also entails documenting how the board of directors (and management) handles cybersecurity and including it in any future reports.

The next step that organizations should take is updating policies and procedures to lower the risk of a material cyber incident. Although there is no perfect solution to prevent breaches 100% of the time, there are several steps companies can take to protect themselves. Research shows that the most effective way to lower the likelihood of a cybersecurity incident is effective security awareness training. Most breaches happen due to human error, and security awareness training lowers the likelihood of a breach by up to 80%!

Here at Haekka we’ve written our own security awareness training and made it free of charge so everyone has the knowledge they need to protect themselves, their company, and to make the world a safer place. Check out our security awareness training here, and feel free to schedule a demo with one of our founders for more information about helping your company with cybersecurity and compliance!