On July 26th, 2023, the Securities and Exchange Commission adopted rules surrounding breach notifications requirements for organizations that set broad guidelines on reporting of the breach that may be “material to investors”.
So, what does “Material to Investors” mean?
A fitting example provided by the SEC was “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. What the SEC is attempting is to assign value to the data being breached to provide the true “Materiality of the Breach.” Materiality, in this context, is based on whether the incident is reasonably likely to have a significant effect on the company’s operations, financial condition, or reputation. This “Materiality” is part of the response process when understanding the magnitude of the breach in the first hours of investigation that determines, systems, accounts, file directories and other breached “material” that requires to be addressed for the organization to operate.
The SEC has also set a timeline for reporting adopted in the new requirements that companies must file a current report on Form 8-K within four business days of determining that a cybersecurity incident is material. This report should provide details about the incident.
Some may balk about this four-day requirement to provide enough details to show the incident is material will impact recovery of the organization; however, the SEC used Business Continuity Processes to determine this timeline would be acceptable as before you can begin a recovery you must determine your impact and assign recovery efforts to personnel and recover by business impact order from your organization recovery processes. Cyber recovery process documentation has been recommended to be addressed through advisories, vendor product documentation and other professional best practice organizations which is why the SEC recommends reviewing these processes to include these new SEC reporting requirements.
The disclosure should include a description of the nature and scope of the incident, the impact on the company’s operations, and the steps taken to address the incident. It should also discuss the company’s policies and procedures regarding cybersecurity risks. All of these items can be addressed with your organizations BCP Communication Plan with a template already created from your organization’s business continuity planning sessions to reduce the time for creating the communication.
In addition to immediate reporting on Form 8-K, companies are also required to discuss their cybersecurity risks and incidents in their periodic filings, such as Forms 10-Q and 10-K. This should include updates on previously reported incidents if there are material developments. If a company learns more information about a previously reported cybersecurity incident, and this information is material, it must amend its disclosures.
The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant's annual report on Form 10-K.
The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
Companies are expected to provide disclosures about their governance and risk management practices with respect to cybersecurity. This includes the role of the board of directors in overseeing cybersecurity risk. This is a notable change as it does put the responsibility back on the board of directors to ensure cybersecurity teams for organizations are properly staffed, trained, and tooled while providing the information for investors that the company has policies and procedures to address cybersecurity and the risk associated.
Lastly, there were additions about insider trading policies in the context of cybersecurity risk and incidents to prevent insiders from trading on non-public information about cybersecurity incidents.
The final rules will become effective 30 days following publication of the adopting release in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure. With respect to compliance with the structured data requirements, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.
It is important to note that the SEC's requirements are subject to change and can be updated to reflect evolving cybersecurity landscapes and regulatory perspectives. Companies are advised to stay informed about the latest requirements and ensure compliance through regular consultations with legal and cybersecurity experts.