Tackling the 2023 SEC Cybersecurity Rules

The new rules from the U.S. Securities and Exchange Commission (SEC) on reporting mark a significant shift in the requirements for disclosing cyber breaches, leaving many businesses wondering how their cybersecurity practices will be impacted in the long run. These new rules create significant new disclosure obligations for public companies, requiring timely and detailed disclosures of material cybersecurity incidents and periodic disclosures about cybersecurity risk management and governance.

The new guidance, which the SEC passed in July 2023 (the “2023 Guidance”), is an accelerated evolution of its 2018 Guidance and proposes several notable changes. In addition to the new cybersecurity rules, the SEC Division of Examinations released its 2024 examination priorities, which our Compliance team addressed in a separate article

The updates put more demands on already pressured businesses and underpin the importance of having a robust incident response plan plan, a process we identified in businesses with mature cyber practices in our Detection and Response Maturity Model. Alongside these changes, organizations also face preparing for the EU Digital Operational Resilience Act (DORA), which requires all companies across member states to ensure that they can withstand, respond to and recover from Information and Communications Technology (ICT) related disruptions and threats. Like the new SEC rules, this regulation means that businesses must act by carefully reviewing and updating their ICT and information security practices and processes.

In the new rules, the SEC has:

• Narrowed the scope of incident disclosure.
• Added a limited delay for disclosures that would pose a substantial risk to national security or public safety.
• Required certain updated incident disclosure on an amended Form 8-k/6-K (instead of a Form 10-Q/10-K/20-F).
• Omitted aggregation of immaterial incidents for the materiality analysis.
• Streamlined the risk management, strategy and governance disclosure requirements.
• Declined to adopt the proposed requirement to disclose board cybersecurity expertise.

How the Changes Will Impact Organizations

Under the 2023 Guidance, businesses must disclose the existence of and the key details surrounding a cybersecurity incident within four business days of determining that an incident is material. This requirement will eventually result in a more publicly accessible repository for cybersecurity incidents affecting public companies through SEC filings. While that may not seem significant, there is currently no centralized, permanent record of incidents. News coverage, press releases, notifications and company announcements can become more challenging to find a few months after the event. Most notable trackers are privately held or equally incomplete.

There will be some confusion in the short term as companies evaluate how to address the rules. It wouldn’t be surprising to see companies err on the side of sharing limited information, especially if they are actively responding to an incident.

For now, companies should evaluate the ruling requirements as one of many drivers for public disclosure, on top of GDPR or HIPAA requirements, operational realities in the event of disruptions due to an incident, or individual notification requirements.

Defining a Material Incident

The rules offer little clarity on what makes an incident material. Certainly, in making that determination, it will be necessary to consider how the incident affects the company’s operations, the effects of the incident on the organization’s reputation, whether (and what) data may have been released, the likely time to recover operations, the costs associated with the incident, the need for notifications of affected consumers or customers, state or federal disclosure requirements, and more.

The decision comes down to the company—hopefully in conjunction with counsel—making the determination of whether an incident is material. If a company concludes the incident is not material—and thus doesn’t require an 8-K disclosure—it should be prepared to defend that conclusion against a regulator or lawsuit. Evidence to support the decision of whether an incident is material or not should, therefore, be carefully considered.

The 2023 Guidance and Company Boards

The final rules require disclosing the board’s oversight of risks from cybersecurity threats. However, the SEC abandoned the proposed requirement to disclose the board’s cybersecurity expertise. Still, there is a clear obligation on the part of boards to exercise appropriate oversight of cybersecurity. Some companies question whether the SEC expects robust cybersecurity program oversight by a dedicated cyber committee with cyber experts. While a dedicated cybersecurity committee might not be mandated at this stage, we believe all companies should have reliable cybersecurity expertise available to advise on and/or implement policies and controls.

As with other areas of risk management, the board of directors is expected to take a thoughtful and company-specific approach to determining an effective and appropriate structure for oversight of cybersecurity risk. This should include increasing board-level education on cybersecurity, deep-dive discussions with management, and external programs or presentations from law enforcement and other third-party experts on the threat environment, attack trends and common vulnerabilities.

Navigating Effective IR and Disclosure Requirements

The more aggressive disclosure timeframe of the new SEC ruling underscores the importance of ensuring that effective disclosure controls and procedures are in place for escalating potentially material events to senior legal and business leaders to achieve accurate and timely reporting.

Companies will need to quickly determine whether an incident is material such that a Form 8-K is required, if disclosure is required, and how to ensure that it meets SEC requirements without compromising the effectiveness of its response or remediation plans.

Helpfully, the 2023 Guidance specifically indicates that companies will not be expected to disclose specific technical information about their incident response or their cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede their response or remediation efforts.

Companies should evaluate their existing disclosure controls and procedures considering SEC’s final cyber rules to:

• Identify relevant stakeholders and assign responsibility.
• Review existing frameworks for escalating and analyzing cybersecurity-related data.
• Prepare an incident response plan that incorporates materiality determinations at an early stage.
• Design, implement and test heightened disclosure controls.
• Train employees to recognize and escalate issues.

As with the new DORA regulation, having a robust incident response program with a trusted partner is a key step in ensuring a business can disclose a security incident and comply with these new rules. Businesses cannot afford to wait for an incident to ensure compliance; at that point, it will be too late for action. No organization is immune to a material cyber incident. Businesses must be prepared with a strong incident response plan that has been extensively practiced, with multiple scenarios and tabletop exercises.

Improve Cyber Risk Management, Governance and Incident Disclosure in Alignment with SEC Cyber Rules

Meeting the new SEC ruling can seem daunting, but organizations can prepare by working with a trusted security partner. Kroll’s virtual chief information security officer (vCISO) and advisory services both available as part of our flexible Cyber Risk Retainer enable companies to safeguard information assets in a way that allows them to adhere to the new SEC rules and other regulatory requirements more effectively. With Kroll’s world-class cyber expertise on their side, organizations can signal to customers and regulators that they have a renewed commitment to data security while enhancing their overall security posture.

While the new SEC rules may cause some initial headaches, they also present a valuable chance for organizations to reset their approach, away from over-reliance on well-worn, familiar ways of working. By embracing the new rules as an opportunity to update their cyber strategy and collaborate with proven security partners, boards can better mitigate the threat of organizational over-confidence.