Cybersecurity is already a growing priority for companies looking to build customer trust, but the U.S. Securities and Exchange Commission's (SEC) proposed cybersecurity incident disclosure rules make protecting one’s organization more important than ever.
One of the SEC’s most important functions is mandating that publicly traded companies disclose relevant financial information in order to ensure a level playing field for investors. Companies must file quarterly reports known as a Form 10-Q with the SEC containing net revenue, expenses, earnings per share, and several other types of financial information.
Publically traded firms must also inform investors about things that could affect share prices such as planned mergers/acquisitions with the Form 8-K. Form 8-K is the “current report” for shareholders to learn about major events impacting a company.
The SEC is considering classifying cybersecurity incidents and data breaches as material events that could impact a company's stock price by adding a section on cybersecurity to Form 8-K. Line item 1.05 would require a company to file a disclosure report within four business days if it has determined a material cybersecurity event. Here’s more detailed information about the specifics of the SEC’s proposed changes.
The SEC’s proposal has several layers of rule changes that companies must abide by. Here are some of the most relevant changes that would impact the majority of companies going forward.
If the SEC’s rules were to pass, companies would be required to file reports after determination a material incident has occurred. “Determination” is important since it allows organizations to conduct investigations into breaches prior to reporting them. It does not require organizations to report upon discovery of the breach. Even though companies do not need to report the discovery of a potential breach, they are required to come to a determination as fast as reasonably practical after discovery.
Whether an incident is “material” is determined using preexisting SEC case law. An incident is considered material if there is a significant likelihood that a reasonable shareholder would evaluate it when deciding whether to purchase or sell a stock. It is also considered material if it significantly alters what is considered the mix of publicly available information.
Here are the components of the report that a company must write when disclosing material cybersecurity incidents.
The SEC has included several definitions for terms within the new proposed changes.
The SEC’s new rules would require companies to report their risk management policies and procedures. The changes would add Items 106(b) and 106(c) to Form 10-K, the annual reporting form. Here are some of the major risk management reporting requirements contained in those line items.
Companies can choose to disclose additional information to promote transparency and win customer/partner trust.
The SEC has also introduced new governance requirements in their proposed changes. The new changes would require companies to describe how their board of directors oversees cybersecurity. This includes which board members are responsible for security, how the board is informed about cybersecurity, how often the board discusses cybersecurity, and how the board factors cybersecurity into business decisions and risk management plans.
It also includes reporting the qualifications of members of the board of directors that oversee security. This would illustrate whether the director has prior cybersecurity experience, any degrees/certifications they have, and if they have knowledge of relevant cybersecurity issues.
The proposed changes mandate that companies explain how management is involved in cybersecurity. This includes who is in charge of managing cyber-risk and their qualifications, if a company has a CISO or CISO equivalent, the company's processes for detecting and remediating cyber incidents, and how often management reports to the board of directors.
The first step any organization should take in light of these proposed changes is updating its reporting mechanisms to make disclosing relevant cybersecurity information easier. This may mean modifying current reporting forms to include the new line items about cybersecurity. It also entails documenting how the board of directors (and management) handles cybersecurity and including it in any future reports.
The next step that organizations should take is updating policies and procedures to lower the risk of a material cyber incident. Although there is no perfect solution to prevent breaches 100% of the time, there are several steps companies can take to protect themselves. Research shows that the most effective way to lower the likelihood of a cybersecurity incident is effective security awareness training. Most breaches happen due to human error, and security awareness training lowers the likelihood of a breach by up to 80%!
Here at Haekka we’ve written our own security awareness training and made it free of charge so everyone has the knowledge they need to protect themselves, their company, and to make the world a safer place. Check out our security awareness training here, and feel free to schedule a demo with one of our founders for more information about helping your company with cybersecurity and compliance!