In an increasingly digital world, cybersecurity has become a paramount concern for both investors and companies. The U.S. Securities and Exchange Commission (SEC) has recognized this growing threat and has introduced new cybersecurity rules aimed at bolstering the security of financial systems and protecting the interests of investors. In this blog, we will explore what these new rules entail and why they matter to both investors and companies.
On July 26, 2023, the US Securities and Exchange Commission (SEC) finalized a regulation that imposes increased transparency related to cybersecurity risk management, governance, and cyber incident disclosure.
The SEC’s final rule is aimed at helping investors make informed investment decisions by providing them with information about public companies’ cybersecurity risk management. As cybersecurity becomes a cornerstone of corporate governance, investors can use a company’s security maturity as a market differentiator.
Understanding SEC’s New Cybersecurity Guidelines
The new final rule represents a significant evolution in the SEC’s approach to cybersecurity disclosure, and a major step forward in promoting transparency and accountability in cybersecurity risk management. It provides more detailed requirements for disclosing cybersecurity risks and emphasizes disclosure of the board’s role in overseeing cybersecurity risk management. With a key focus of ensuring that companies disclose material cybersecurity information in a more consistent, comparable and decision-useful way, SEC’s new rule will likely benefit investors, companies, and the markets connecting them. It may also influence other regulators and standard-setting bodies in the US and internationally.
The rule applies to all registered companies, not just those with assets in the US. Thus, if a company files with the US SEC, any incidents affecting its global assets are also under the jurisdiction of the regulation. This means visibility needs to include threat intelligence that is localised to other geographies. Companies that are publicly traded on a US stock exchange must comply with the rule’s cyber risk management and incident disclosures starting in mid-December 2023 (or Spring 2024 for qualifying small companies).
The final rule adopts new disclosure requirements in three main areas, that are discussed below.
1. Cybersecurity Incident Disclosure
Under the new rules, publicly traded companies must disclose any material cybersecurity incident on the newly introduced Item 1.05 of Form 8-K, within four business days. This disclosure needs to describe the incident’s nature, scope, timing, and material or reasonably likely material impact on the company. It must be filed within four business days after determining the incident’s materiality. However, this disclosure can be delayed if the U.S. Attorney General determines that immediate disclosure would risk national security or public safety. The disclosure must be filed, whether the incident is contained, or not.
Implication: This four-business-day requirement is expected to be a game-changer for many public companies, requiring them to have a robust breach response process, including regular tabletop exercises that simulate how they would gather data about an incident and ultimately determine its materiality. It also underscores the need for a well-crafted communications plan to be able to diligently manage press inquiries and social media chatter that could alarm investors, shareholders, and consumers.
2. Cybersecurity Risk Management
The new rules add Regulation S-K Item 106, requiring companies to outline their processes for assessing, identifying, and managing material risks from cybersecurity threats. Companies must disclose any material effects or reasonably likely material effects of risks from cybersecurity threats and previous incidents. This requirement describes the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in handling such risks. These disclosures will be required in a company’s annual report on Form 10-K
Companies must discuss elements including:
- Existence of a cybersecurity risk assessment program;
- Engagements with third parties in connection with such a program;
- If a company has processes to oversee and mitigate material third-party service provider cybersecurity risk; and
- The potential for cybersecurity risks to impact company operations or its financial condition.
Implication: Many companies are not ready today to reveal their cyber capabilities to the extent that the new rule requires. The new rule puts the onus on companies to give investors current, consistent and “decision-useful” information about how they manage their cyber risks. Organizations will be required to invest in enhancing cyber risk monitoring capabilities and integrate cyber risk management programs with their business strategy and financial planning.
3. Board Oversight
Finally, public companies will now annually need to describe the board’s oversight of risks from cybersecurity threats and describe the processes by which the board or a board committee is informed about such risks. This represents a shift from previous guidance that focused primarily on the company’s management. As such, the board should have processes to be informed about cybersecurity risks and incidents. This includes receiving regular updates from management or the cybersecurity team on the company’s cybersecurity risks and incidents. Additionally, the disclosure must describe management’s role in assessing and managing the company’s material risks from cybersecurity threats.
Implication: As the rule requires the boards to actively oversee cyber risk management programs, this may entail additional training for board members to understand the company’s cybersecurity risks and the measures to manage them. For many public companies, this may mean directors will have to start with board education to bring everyone up to the same cyber literacy level. Additionally, directors may want to consider taking external cybersecurity readiness courses and earning credentials, to beef up their qualifications.
How to Prepare for the SEC’s New Cybersecurity Disclosure Rule
The SEC final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure will require buy-in and active preparation from several departments of your organization to accommodate the new requirements.
As it demands companies provide investors with timely, accurate, and “decision-useful” information about their cyber risk management, strategy, and governance processes, the introduction of this new SEC rule signifies a paradigm shift in cybersecurity with it slated to take effect in mid-December 2023, organizations must get started in gearing up for a new era of increased transparency and accountability.
As cybersecurity experts that assist and assess organizations with their adherence to various industry-accepted security standards, we can help get you started.
To help shield investors from the potential damages of cybersecurity breaches, the final rule requires changes to two company filings:
Form 8-K: A brand new mandatory filing item (1.05), this addition to the form demands reporting of material cybersecurity incidents within four business days of materiality determination. To clarify materiality, companies should consider quantitative and qualitative factors, including:
- Financial impact
- Customer relationships
- Vendor relations
10-K: In this annual filing, companies must provide detailed descriptions of their cybersecurity programs as part of the new SK Item 106(b). The final rules amend Form 10-K to add new Item 1C and add Item 106 of Regulation S-K, which require disclosure regarding:
A registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. This is a slightly more flexible standard than the “policies and procedures” required to be disclosed in the proposed rules. As noted in the adopting release for the final rules, this change was made to address concerns that the proposed rules would provide too much detail and thus create security threats.
The final rules provide the following non-exclusive list of disclosure items:
- Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes
- Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes
- Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider
- Whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition, and, if so, how.
The board of directors’ oversight of risks from cybersecurity threats and, if applicable, the identity of any board committee or subcommittee responsible for such oversight and the processes by which the board or such committee is informed about such risks. This is a narrower disclosure than what would have been required under the proposed rules, which would have required more information regarding how cybersecurity related to the registrant’s business strategy as well as additional information about the frequency of cybersecurity discussions at board meetings.
In a manner that is also less detailed than what was contemplated under the proposed rules (which would have required information about the frequency of management’s cybersecurity discussions), management’s role in assessing and managing the registrant’s material risks from cybersecurity threats. The final rules provide the following non-exclusive list of disclosure items:
Whether and which management positions or committees are responsible for assessing and managing such risks and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
Item 106 of Regulation S-K requires inline XBRL tagging, including detailed tagging of narrative disclosures.
Foreign Private Issuers
The final rules amend Form 6-K to add “cybersecurity incidents” as a reporting topic per General Instruction B. As a result, foreign private issuers will be required to disclose cybersecurity incidents on Form 6-K if they disclose or are required to disclose such incidents pursuant to the law of the jurisdiction in which they are organized, with a stock exchange or to their security holders.
The final rules amend Form 20-F to require foreign private issuers to provide cybersecurity disclosures in their annual reports in a new Item 16K that are the same type of disclosures required in Item 106 of Regulation S-K for domestic registrants.
Timing of Effectiveness of the Final Rules
With respect to compliance with the cybersecurity incident disclosure requirements in Form 8-K Item 1.05 and Form 6-K, all registrants other than smaller reporting companies must begin complying on the later of 90 days after the date of publication of the new rules in the Federal Register or December 18, 2023.
Smaller reporting companies will have an additional 180 days and must begin complying with Form 8-K Item 1.05 on the later of 270 days from the effective date of the rules or June 15, 2024.
With respect to Regulation S-K Item 106 and the corresponding requirements in Form 10-K and the comparable requirements of Form 20-F, all registrants must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. For calendar year companies, this means that the disclosures will be required in their 2023 Form 10-K or Form 20-F filed in 2024.
All registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.
How IRIS CARBON ® Can Guide Companies Through the Compliance Journey
Given these comprehensive and technical requirements, meeting the new regulations might seem overwhelming. With its deep cybersecurity and regulatory compliance understanding, IRIS CARBON® can guide your company through this process, by aiding boards and management teams in crafting and executing an effective cybersecurity strategy, developing robust incident response plans, and providing training to prepare your company for potential cyber incidents. We can assist in accurately determining an incident’s materiality, gather the necessary information, and prepare Form 8-K to meet the SEC’s reporting requirements.
IRIS CARBON® offers you
- Exceptional value for money with assured 25%* savings
- Fixed pricing model with no hidden or extra costs.
- Unlimited 24×7 Support with reliable assistance.
- 100% error-free filings
- Watertight Data Security with SOC 2 certification
- 350+ XBRL/iXBRL experts mastered in 150+ SEC Forms that supports filing of 10-Ks, 10-Qs, 8-Ks, etc
We have been ranked consistently the #1 choice for iXBRL quality by multiple independent evaluators. That means we do not just transform your reporting process but also save you valuable time and money.
In conclusion, the new SEC rules mark a significant shift in corporate governance and cybersecurity, demanding more from companies but offering the opportunity to enhance their cybersecurity posture. With IRIS CARBON® as your partner, you can navigate these changes with confidence. We are committed to helping you strengthen your cybersecurity defences and maintain compliance, enabling your company to stay ahead in this ever-evolving landscape, adhering to transparency standards, and fortifying stakeholder trust.