The U.S. Securities Exchange Commission (SEC) recently adopted a final rule regarding cybersecurity risk management, governance, and incident reporting. The final rule went into effect on September 5, 2023, and disclosure requirements apply to fiscal years ending on or after December 15, 2023.

The new rule imposes additional disclosure requirements on U.S. reporting issuers and foreign private issuers, including all public companies. Under the new rule, public companies must:

• Disclose cyber incidents within four business days of determination the incident is material;
• Disclose the process for assessing, identifying and managing material risks from cybersecurity threats in an annual report on Form 10-K;
• Disclose the Board of Directors’ oversight and management role in assessing and managing material cybersecurity risk in an annual report on Form 10-K.

The focus on director oversight is significant. Moving forward, boards will need to be well-informed about the company’s risk management strategies and preparedness for addressing cyber incidents effectively.

What is a “material” cybersecurity incident?

The SEC cybersecurity rules describe a material incident based on the long-standing definition of materiality that is used in securities law. Information is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision. While there is not a specific financial threshold for a material cyber incident, the SEC offered a few examples of what a material cybersecurity incident might look like.

“For example, an incident that results in significant reputational harm to a registrant may not be readily quantifiable and therefore may not cross a particular quantitative threshold, but it should nonetheless be reported if the reputational harm is material. Similarly, whereas a cybersecurity incident that results in the theft of information may not be deemed material based on quantitative financial measures alone, it may, in fact, be material given the impact to the registrant that results from the scope or nature of harm to individuals, customers, or others, and therefore may need to be disclosed.”

In reality, when a cybersecurity incident occurs, determining what is material and when to disclose it is not always a straightforward analysis with a clear answer.

Delayed Reporting

The SEC provided a narrow basis for delayed reporting beyond the four business day deadline. The deadline may only be extended if the U.S. Attorney General determines that a disclosure would pose a substantial risk to national security or public safety. The FBI and DOJ issued guidance explaining the process companies can use to request a determination by the U.S. Attorney General, or a designee.

The guidance includes a multi-step process for seeking a delay of public disclosure.

1. Timing is critical. Companies should contact the FBI as soon as the company believes disclosure of a cyber incident may pose a substantial threat to national security or public safety.
2. Full Disclosure. The company will need to provide the FBI with all information it needs to request a delay.
3. Processing of Request. The FBI will process the request and refer the request for delayed reporting to the DOJ.
4. Review. DOJ will review the request and make a finding regarding whether the public disclosure threatens national security and public safety and will notify the SEC in writing, which will delay notification by up to 30 days.

Cybersecurity incidents involving novel vulnerabilities, sensitive U.S. government information or affecting critical infrastructure are the types of incidents that DOJ is most likely to approve a delayed notification.

Knowing the Reporting Requirements is NOT just for Public Companies

Despite the fact that the SEC cybersecurity rules are targeted at public companies, many public companies rely upon smaller third-party software and supply chain companies, and a cyberattack at any point along that chain could have material impacts. Therefore, if you or your company provide services to a public company, you should familiarize yourself with the new regulations.

The New Reporting Requirements Require Preparation of an Incident Response Plan

The SEC’s new cyber rules aim to safeguard companies from the increasing cyber threat landscape. Moving forward, companies should establish a relationship with the cyber division of their local FBI field offices, as they will be the primary point of contact in the event of a cybersecurity incident. It is also important for companies subject to the new SEC disclosure rules to review and revise their incident response protocols and risk management practices. Advanced preparation and an established incident response plan will be critical when faced with the crisis of a cybersecurity incident.

[View source.]