Cyberattacks on businesses have been skyrocketing, with a ransomware attack now occurring every 11 seconds. As cyber incidents become more widespread, the SEC recently enacted rules to mandate timely disclosure of material cybersecurity incidents, aiming to provide investors and the public with the information they need to properly evaluate the cyber risk profile of public companies.
What Companies Must Disclose
Under the new SEC rules, public companies will be required to report on Form 8-K any “material cybersecurity incident” they experience within four business days of determining that the incident is in fact material. Importantly, the rules define a cybersecurity incident broadly as any “unauthorized occurrence” that jeopardizes the confidentiality, integrity or availability of a company’s electronic systems or information. This means even a run-of-the-mill malware or ransomware attack would need to be evaluated for materiality and potential Form 8-K disclosure.
The Form 8-K must describe the nature, scope and timing of the incident, as well as the actual or likely material impacts on the company’s financial condition and operations. Although the rules allow companies to avoid disclosing technical details that could aid attackers, the disclosure still must provide investors with an understanding of why the incident was deemed material. For example, was sensitive data exfiltrated that could lead to heavy remediation costs, or was a vital revenue-generating system offline for an extended period?
While not requiring disclosure of every single attack or piece of affected data, the rules are intended to lift the veil on just how frequently today’s companies are targeted by cyber incidents and what the business impacts are when an incident materializes. In essence, the rules move cyber incidents into the same realm of corporate transparency as material litigation, bankruptcy risks, executive turnover and similar events regularly reported on Form 8-K.
Navigating Materiality Gray Areas
Because the disclosure requirement hinges on materiality, executives will need to thoughtfully but swiftly apply the court-established standards for materiality in determining when a cyber incident necessitates Form 8-K disclosure. Simply because an incident meets the technical definition does not mean disclosure is required; many incidents will likely still fall below the materiality threshold. However, in today’s environment of near constant cyber activity, the materiality analysis is becoming increasingly complex.
For starters, companies will need to think about the collective impact of related cyber incidents over a period of time, since a series of small incidents could together become material. Persistent IP theft over months or repeated ransomware attacks could be deemed material when considered in aggregate.
Companies will also need to broaden their assessment of harm beyond just direct financial losses. For example, incidents involving theft of sensitive customer data or intellectual property may have downstream reputational and competitive impacts that, while difficult to quantify, could be considered material over the long term.
Finally, companies will need to consider expanding their definition of what constitutes sensitive or critical data. In a digital business environment, data types once considered non-sensitive, such as email archives, may provide attackers a trove of information to exploit and thus warrant closer scrutiny when compromised.
Maintaining Timely Cyber Disclosure Processes
To meet the new four-day reporting deadline, public companies will need to assess whether their current cybersecurity incident response and disclosure processes are up to speed. Waiting until an investigation concludes is no longer an option; under the rules, companies must make the materiality determination – and file the Form 8-K – within four business days of that determination.
This means cybersecurity, legal, compliance and investor relations teams need to coordinate seamlessly to gather the facts rapidly, apply the materiality criteria, prepare the appropriate disclosure, and file within the allotted timeframe. Companies should immediately confirm:
- Incident response plans classify cyber events by severity, with material events escalated promptly up the chain of command.
- Materiality analyses are initiated at the first sign an incident could be material, rather than waiting for the investigation to wrap up.
- Executive leadership and directors tasked with materiality judgments understand the factors for deeming an incident material and how to apply them.
- Disclosure workstreams are initiated in parallel with response/remediation, with templates ready to streamline disclosure preparation.
- Processes are in place to track incidents over time for potential aggregation analyses.
With reputational harm and stock drops demonstrably resulting from high-profile cyber incidents, the new rules make swift disclosure imperative. By taking the time now to evaluate and tune up their cyber disclosure procedures, companies can mitigate regulatory and investor backlash when an incident inevitably occurs.
When Delayed Disclosure May Be Permitted
Because premature disclosure of some incidents genuinely could exacerbate security risks, the new rules permit a filing delay in limited cases. Companies can refrain from disclosing for up to 30 days if the U.S. Attorney General determines the incident poses a substantial risk to national security or public safety. The delay can be extended for another 30 days upon a new determination by the Attorney General.
In extraordinary cases, disclosure can be delayed up to a total of 120 days from the initial determination of materiality if the Attorney General assesses the ongoing national security risk warrants it. Any further extensions require SEC approval. However, unless informed of such a determination by the Attorney General, companies cannot opt to delay disclosure on their own accord due to perceived security risks.
This exception applies narrowly to incidents with a clear national security dimension, such as an attack on critical infrastructure. The exception may also come into play if law enforcement determines public disclosure about a specific incident would reveal sensitive investigative methods or impede apprehension of the criminals behind it.
Absent such a compelling rationale, however, companies will need to report incidents within four days of determining their materiality once the new rules take effect. There are no general exceptions for ongoing remediation or incomplete impact assessments.
With cyber incidents now occurring at a dizzying pace, the new SEC disclosure rules usher in an era of greatly increased transparency for investors regarding companies’ cyber risk profiles. While the rules aim to elicit decision-useful information, they also create complexity around materiality judgments and tighten timeframes for disclosure. To balance investor needs with cyber and regulatory risk, public companies will need to reevaluate their incident response and public disclosure procedures in 2023 before these rules take effect.
As you prepare for these new SEC cybersecurity disclosure requirements, the experts at CSPi Technology Solutions are here to help. With decades of experience assisting organizations with IT infrastructure, security, and regulatory compliance, CSPi can guide you through risk assessment, reporting frameworks, and developing cyber incident response plans tailored to the new rules. Don’t delay – contact CSPi now to get ready for the SEC’s expanded cybersecurity disclosures.