The landscape of cybersecurity compliance has shifted dramatically for public companies since the U.S. Securities and Exchange Commission (SEC) adopted its July 26, 2023 rules, which require public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K. For companies in the financial sector, these SEC rule changes carry significant implications and may have required a reevaluation of cybersecurity risk management strategies, as well as increased transparency and governance processes.
But in 2024, the SEC released additional guidance and clarification on the rule change, providing public companies with a better understanding of their responsibilities and how to comply. In this article, we discuss key elements of the SEC’s cybersecurity incident disclosure rule change — including materiality determination, mandated cybersecurity technologies and practices, exclusions from disclosure requirements, and preparing for compliance — and how financial firms can adapt. In doing so, we offer a clear and straightforward understanding of the guidelines and provide actionable steps for financial firms to adapt and thrive amidst these new requirements.
Understanding the SEC Cyber Incident Rule Change
The new SEC rule comprises two significant parts:
- Incident Disclosure Requirement: Public companies must disclose any material cybersecurity incidents using Form 8-K. Material incidents can include data breaches, system intrusions, ransomware attacks, and email account compromises. The disclosure must occur within four business days of determining the incident’s materiality. This is a critical distinction—the four-day countdown begins once the materiality is assessed, not the incident’s discovery or occurrence.
- Annual Disclosure Requirement: Companies must now provide an annual disclosure detailing their cybersecurity risk management, strategy, and governance processes. This involves revealing how the firm manages, mitigates, and oversees its cybersecurity risks.
In SEC Director John Gerding’s public statement on adopting the new rules, Gerding explained that this change was essential to better protect investors and promote market integrity. He also noted that the SEC recognizes the challenges of cybersecurity risk management in today’s digital age.
Determining Materiality in Cybersecurity Incidents
“Materiality” refers to the threshold at which an event becomes significant enough to influence the decision-making process of an investor or stakeholder. It is a cornerstone of the new SEC rule. The determination process involves considering factors such as:
- the potential harm to the company’s reputation, competitive position, or relationships with customers and vendors.
- financial repercussions stemming from the incident.
- the likelihood of litigation or regulatory action from local, state, federal, or international authorities.
- data theft consequences that impact customers, individuals, or other stakeholders.
SEC’s Approach to Cybersecurity Technologies
The SEC rule does not prescribe specific cybersecurity technologies or practices. The main aim is to standardize public company disclosures for investors’ benefit. Companies retain the autonomy to choose and implement their cybersecurity measures based on their unique needs and risk assessments.
Exceptions to SEC Disclosure Requirements
Certain exclusions apply to the SEC disclosure requirements, including:
- National Security or Public Safety Concerns: Disclosure delays are permissible if reporting an incident could compromise national security or public safety. Such delays require written authorization from the Attorney General, as outlined by the Department of Justice (DOJ).
- Protection of Incident Response Details: Companies are not required to disclose technical specifics that could impede incident responses or provide a roadmap for future attacks. This includes detailed information about cybersecurity systems, networks, devices, or potential vulnerabilities.
Preparing to Comply with the SEC Rule Change
Here, we delve into actionable strategies for financial firms to prepare for and comply effectively with the new SEC cybersecurity disclosure rules. FI leaders can take these steps to ensure their organizations are well-positioned to meet compliance requirements.
1. Establishing a Materiality Assessment Process
To adhere to the four-day disclosure requirement, financial firms should develop a robust process for assessing the materiality of cyber incidents. This process should encompass:
- Incident Reporting Protocols: Immediate reporting protocols ensure that incidents are promptly escalated to the appropriate decision-makers for materiality assessment.
- Materiality Assessment Framework: A clear framework should outline the criteria for determining materiality, incorporating all SEC guidelines and factors such as reputational harm and financial impact.
- Documentation and Tooling: The assessment process should be meticulously documented, using advanced tooling to capture all necessary incident details efficiently.
- Communication Plan: Ensure all relevant stakeholders, including the board of directors and key executives, understand the materiality assessment protocol.
2. Enhancing Risk Management and Governance Frameworks
To satisfy the annual disclosure requirement, financial firms need comprehensive risk management programs. These programs should involve:
- Board Oversight: Board involvement ensures that cybersecurity risk management receives the necessary attention and resources.
- Engagement of Key Management: Cybersecurity risk management should engage key management personnel across the organization to foster a proactive culture.
- Regular Assessments: Regularly assess and update the risk management program to address evolving threats and changes within the business environment.
- Strategic Reviews: Conduct annual reviews or additional reviews following significant business or security developments.
3. Adapting Cybersecurity Strategies and Policies
Financial firms should continue to refine their cybersecurity strategies and policies, though the SEC rule does not mandate specific technologies. To this end, firms should:
- Continuous Improvement: Stay abreast of the latest cybersecurity trends and advancements. Ensure strategies evolve to address new risks identified through regular assessments and threat intelligence.
- Employee Training: Regular training and awareness programs ensure that employees at all levels understand security policies and incident reporting procedures.
- Third-Party Risk Management: Strengthen oversight of third-party vendors and partners to manage risks across the entire supply chain effectively.
4. Formulating Incident Response and Public Disclosure Plans
Firms should develop detailed incident response and public disclosure plans to navigate the SEC’s timelines and requirements seamlessly. Key components include:
- Rapid Response Team: Establish a dedicated team to respond to and manage cybersecurity incidents, ensuring they can work swiftly to determine incident materiality.
- Public Relations Strategy: Craft a public relations strategy for communicating about incidents, so you can keep stakeholders, including investors and customers, adequately informed while complying with SEC guidelines.
- Legal and Regulatory Compliance: Ensure legal teams are well-versed in both the SEC rules and broader regulatory compliance requirements, particularly those that may impact disclosure timelines due to national security or safety concerns.
Now is the Time to Be Proactive
Failure to adhere to the new SEC cybersecurity disclosure rules exposes financial institutions to significant regulatory penalties, legal challenges, and irreparable reputational harm. With cyber threats growing increasingly sophisticated, the stakes of non-compliance are higher than ever. Fortunately, by proactively embracing these guidelines, firms can fortify their defenses and build greater trust with their stakeholders, paving the way for a more resilient future.
Your Partner in Cybersecurity and Compliance
Option One Technologies offers comprehensive cybersecurity solutions to help financial firms navigate the evolving threat landscape and compliance requirements successfully. Our team of experts can provide tailored risk assessments, incident response planning, and ongoing support to satisfy SEC disclosure requirements and protect your organization’s assets. Contact us today to learn more.